The US Safe Harbor - Fact or Fiction? (2008)

5.8. Co-operation with the EU DPA Panel

The Safe Harbor enforcement principle requires organisations to identify an independent dispute resolution provider. However, it allows organisations to select an alternative approach – they may agree to cooperate with the dispute resolution Panel established by the EU Data Protection Authorities. Indeed, this approach is required for all human resources data.

Evidence of this ‘agreement to cooperate’ is essential, as the 2002 and 2004 EU reviews both found that it was necessary for a US organisation to agree to cooperate in order for the EU DPA Panel to gain jurisdiction. It was not sufficient to merely indicate the existence of the Panel or to refer consumers with disputes to individual EU Data Protection Authorities.

The agreement to cooperate with the EU DPA Panel may appear in either the self-certification entry or in the privacy policy. As usual there are considerable problems with data quality regarding this requirement. This includes inconsistency between the entry in the form, and entries on privacy policies. Also, 208 organisations failed to click on a selection in this part of the form, so their entry reads ‘select appropriate response’ – it is therefore unclear whether these organisations are bound.

Also, most privacy policies do not accurately convey information about the Panel to consumers. There is often no mention at all of the existence of the Panel. Where EU Data Protection Authorities are mentioned at all, the situation is often misdescribed in terms similar to the following:

If you cannot resolve the issue directly with the Company X Safe Harbor Privacy Contact, you may contact your local data protection authority for further information.[16]

Without a clear indication to consumers that the EU DPA Panel exists as an independent dispute resolution service AND a clear commitment to cooperate with the Panel, organisations are not compliant with the Safe Harbor.

In addition, some privacy policies contain references that would make no sense to a consumer, such as:

For human resources data we have agreed to cooperate with Data Protection Authorities.

In this example (and similar sites) there is no information about who or where these data protection Authorities are, and what their role is in the case of a dispute.

Overall, the Galexia study found that there was a very low level of compliance with the requirement to identify the EU DPA Panel correctly as the appropriate dispute resolution provider. Only four organisations in the entire study provided contact details for the Panel.

[16] <>