The US Safe Harbor - Fact or Fiction? (2008)
4. Compliant members
The study found that only 348 organisations meet even the most basic requirements of the Safe Harbor Framework. This figure was reached using the following steps:
Membership Requirement |
Notes |
Number of entries |
Number of unique entries removed |
Cumulative total |
Organisation is listed. |
All organisations listed on 17 October 2008. |
1597 |
0 |
1597 |
Unique entry |
Removes doubles, triples and the test file |
19 |
19 |
1578 |
Collects EU personal information |
Removes irrelevant organisations who do not collect any EU personal information |
7 |
7 |
1571 |
Listed as current by DOC |
Removes organisations listed by the Department of Commerce as ‘not current’ |
342 |
329 |
1242 |
Listed as current by certification renewal date |
Removes organisations that failed to renew by 17 October 2008. |
477 |
133 |
1109 |
Website privacy policy is accessible |
Removes organisations who claim to have a website privacy policy, but it is unreachable. |
175 |
57 |
1052 |
Privacy policy mentions Safe Harbor |
Removes organisations who have a public privacy policy but it does not mention the Safe Harbor at all |
218 |
127 |
925 |
Privacy policy complies with the enforcement principle |
Removes organisations who have a public privacy policy that does not provide information on the selected dispute resolution provider. |
587 |
279 |
646 |
Affordable dispute resolution provider. |
Removes organisations who have selected AAA or JAMS as their dispute resolution provider in either their certification record or their public privacy policy. |
209 |
107 |
539 |
Verified member of TRUSTe dispute resolution. |
Removes organisations who have selected TRUSTe as their dispute resolution provider when they are not current members. |
29 |
11 |
528 |
Verified member of TRUSTe privacy program |
Removes organisations who claim to be members of the TRUSTe privacy program when they are not current members |
30 |
2 |
526 |
Verified member of the BBB Safe Harbor program |
Removes organisations who claim to be members of the BBB Safe Harbor program when they are not current members. |
4 |
3 |
523 |
Dispute resolution provider exists |
Removes organisations who have selected BBB Online Privacy as their dispute resolution provider (closed in July 2008) |
21 |
15 |
508 |
Privacy program exists |
Removes organisations who claim to be members of BBB Online Privacy (closed in July 2008) |
31 |
3 |
505 |
No website privacy policy |
Removes organisations who require a password or direct contact in order to obtain their privacy policy. |
246 |
151 |
354 |
No misleading information |
Removes organisations who are using unauthorised Safe Harbor seals or who claim they have been certified by the Department of Commerce or the EU |
32 |
6 |
348 |
The 348 organisations that are listed as compliant with these basic Safe Harbor requirements, may not in fact be complaint with all seven of the more detailed Safe Harbor Principles, as this study only assessed compliance with Principle 7.
It is also important to note that although an organisation may be listed here as compliant, it may have restricted the scope of its Safe Harbor membership to a particular category of data. For example 41 of these organisations have restricted the scope of their Safe Harbor membership to human resources data only.
Of the 348 organisations who were found to be compliant in this study, only 54 extended their Safe Harbor membership to all data. This is extremely important. Out of the 1,597 entries on the Safe Harbor list only 54 are compliant with basic Safe Harbor requirements for all categories of data – only 3% of organisations on the list.