The US Safe Harbor - Fact or Fiction? (2008)

6.2. Recommendations for the US

The US should consider taking steps to rectify some of the more pressing Safe Harbor problems identified in this study:

  • The Federal Trade Commission and/or the Department of Commerce should consider investigating the hundreds of organisations who make false claims in relation to their membership of the Safe Harbor and/or their membership of dispute resolution providers;
  • The Federal Trade Commission and/or the Department of Commerce should consider investigating organisations who claim that they have been certified by the Department of Commerce or certified by the EU, or who otherwise misdescribe the self-certification process;
  • The Department of Commerce should consider revising its public statements about the number of organisations who are ‘participants’ in the Safe Harbor at any given date, in order to exclude non-current members, duplicate entries etc.;
  • The Department of Commerce should consider investigating the unauthorised and/or misleading use of its Departmental logo in the privacy policies and websites of organisations;
  • The Department of Commerce should consider abandoning the use of the Safe Harbor Certification Mark, as it is open to abuse and in the majority of cases it is misleading. Alternatively, the Certification Mark should use the words ‘self certified’ within the graphic, and the graphic should accurately indicate the categories of data covered by that specific organisation’s membership;
  • Some Safe Harbor dispute resolution providers (notably DMA) should publish public lists of their members so that membership can be validated by the public (most providers already comply with this requirement);
  • All Safe Harbor dispute resolution providers (e.g. TRUSTe, BBB and DMA) should develop a process that automatically suspends an organisation’s membership if they fail to renew their Safe Harbor certification; and
  • TRUSTe should require all of its members to immediately cease referring to TRUSTe as ‘non-profit’.

Until the Safe Harbor is reviewed and improved, consumers and business should approach all claims made regarding the Safe Harbor with great care, and undertake their own investigations before providing any personal information to US organisations.

The ability of the US to protect privacy through self-regulation, backed by claimed regulator oversight is questionable. There are growing calls, including campaigns by leading business groups, for the US to abandon the self-regulation approach and embrace comprehensive privacy legislation. Comprehensive privacy legislation ensures that personal information is protected by privacy rights for all organisations, all of the time. Where legislation is in place an individual’s privacy rights do not disappear because an organisation has forgotten to renew their membership of a dispute resolution service, or because a dispute resolution service closes its doors.

The International Monetary Fund (IMF) publishes a list of advanced economies – those economies that have advanced markets, high wealth and do not rely on a single resource such as oil. Of the 31 countries that appear on that list only Singapore and the US do not have privacy legislation. It may be time for the US to abandon one list and join the other.