Galexia

The US Safe Harbor - Fact or Fiction? (2008)

4. Compliant members

The study found that only 348 organisations meet even the most basic requirements of the Safe Harbor Framework. This figure was reached using the following steps:

Membership Requirement

Notes

Number of entries

Number of unique entries removed

Cumulative total

Organisation is listed.

All organisations listed on 17 October 2008.

1597

0

1597

Unique entry

Removes doubles, triples and the test file

19

19

1578

Collects EU personal information

Removes irrelevant organisations who do not collect any EU personal information

7

7

1571

Listed as current by DOC

Removes organisations listed by the Department of Commerce as ‘not current’

342

329

1242

Listed as current by certification renewal date

Removes organisations that failed to renew by 17 October 2008.

477

133

1109

Website privacy policy is accessible

Removes organisations who claim to have a website privacy policy, but it is unreachable.

175

57

1052

Privacy policy mentions Safe Harbor

Removes organisations who have a public privacy policy but it does not mention the Safe Harbor at all

218

127

925

Privacy policy complies with the enforcement principle

Removes organisations who have a public privacy policy that does not provide information on the selected dispute resolution provider.

587

279

646

Affordable dispute resolution provider.

Removes organisations who have selected AAA or JAMS as their dispute resolution provider in either their certification record or their public privacy policy.

209

107

539

Verified member of TRUSTe dispute resolution.

Removes organisations who have selected TRUSTe as their dispute resolution provider when they are not current members.

29

11

528

Verified member of TRUSTe privacy program

Removes organisations who claim to be members of the TRUSTe privacy program when they are not current members

30

2

526

Verified member of the BBB Safe Harbor program

Removes organisations who claim to be members of the BBB Safe Harbor program when they are not current members.

4

3

523

Dispute resolution provider exists

Removes organisations who have selected BBB Online Privacy as their dispute resolution provider (closed in July 2008)

21

15

508

Privacy program exists

Removes organisations who claim to be members of BBB Online Privacy (closed in July 2008)

31

3

505

No website privacy policy

Removes organisations who require a password or direct contact in order to obtain their privacy policy.

246

151

354

No misleading information

Removes organisations who are using unauthorised Safe Harbor seals or who claim they have been certified by the Department of Commerce or the EU

32

6

348

 

The 348 organisations that are listed as compliant with these basic Safe Harbor requirements, may not in fact be complaint with all seven of the more detailed Safe Harbor Principles, as this study only assessed compliance with Principle 7.

It is also important to note that although an organisation may be listed here as compliant, it may have restricted the scope of its Safe Harbor membership to a particular category of data. For example 41 of these organisations have restricted the scope of their Safe Harbor membership to human resources data only.

Of the 348 organisations who were found to be compliant in this study, only 54 extended their Safe Harbor membership to all data. This is extremely important. Out of the 1,597 entries on the Safe Harbor list only 54 are compliant with basic Safe Harbor requirements for all categories of data – only 3% of organisations on the list.