Galexia

The US Safe Harbor - Fact or Fiction? (2008)

1. Introduction

The US Safe Harbor is an agreement between the European Commission and the United States Department of Commerce that enables organisations to join a Safe Harbor List to demonstrate their compliance with the European Union Data Protection Directive. This allows the transfer of personal data to the US in circumstances where the transfer would otherwise not meet the European adequacy test for privacy protection.

The first public draft of the Safe Harbor Principles was released in November 1998[2], although they were not officially accepted by the EU until 2000.

The Safe Harbor is best described as an uneasy compromise between the comprehensive legislative approach adopted by European nations and the self–regulatory approach preferred by the US. The Safe Harbor Framework has been the subject of ongoing criticism, including two previous reviews (2002 and 2004). Those reviews expressed serious concerns about the effectiveness of the Safe Harbor as a privacy protection mechanism.

After ten years of public debate it is time to examine the Safe Harbor again. This article summarises the findings of a Galexia study regarding the current status of the Safe Harbor Framework. The Galexia study assessed each of the organisations listed on the Safe Harbor List (1,597 entries) against a small subset of key criteria contained in the Safe Harbor Framework Principles.

This study raises concerns that many aspects of the Safe Harbor Framework are not working. Highlights of this study include:

Compliance:

  • Although the list contained 1,597 entries, only 1,109 organisations were current members of the Safe Harbor Framework. Many organisations on the list no longer exist or they have failed to renew their certification. The list also includes double entries.
  • Only 348 organisations meet even the most basic requirements of the Safe Harbor Framework. Many organisations did not have a public privacy policy, or the policy failed to even mention the Safe Harbor. A large number of organisations failed to comply with Principle 7 – Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.
  • 209 organisations selected a dispute resolution provider that was not affordable. These include the American Arbitration Association (AAA) that costs between $120 and $1,200 per hour (with a four-hour minimum charge plus a $950 administration fee), and the Judicial Arbitration Mediation Service (JAMS) that costs $350 to $800 per hour (plus a $275 administration fee). Organisations either failed to disclose these costs or required the consumer to share these costs.

False and/or misleading information:

  • 206 organisations claim on their public websites to be members of the Safe Harbor when they are not current members. Many of these false claims have continued for several years.
  • 36 of these 206 false claimants were also accredited by a third party as being current members of their Safe Harbor trustmark scheme (e.g. the TRUSTe Safe Harbor and BBB Safe Harbor programs), even though these organisations are not current members of the official Safe Harbor.
  • 73 organisations claimed to be members of a Privacy Trustmark Scheme (e.g. TRUSTe or the BBB Safe Harbor program) when they are not current members of those schemes, or they claimed to be members of BBB Online Privacy – a scheme that closed 18 months ago and has not accepted any complaints since June.
  • 20 organisations displayed a Department of Commerce Safe Harbor ‘seal’ on their website when they were not actually compliant with the Safe Harbor Framework, including numerous unauthorised seals created using graphics software.
  • 24 organisations claimed that they had been certified by the Department of Commerce or certified by the EU – when the Framework is actually based on self-certification.

Overall the study found numerous problems with data accuracy and basic compliance with simple Framework requirements. This study only checked for compliance with one of the seven Safe Harbor Framework Principles (Principle 7 – Enforcement and Dispute Resolution). Galexia did not check the other six principles. Only 348 organisations passed this basic test of compliance with Principle 7.

It is unlikely that many of these 348 organisations would be considered compliant with the more detailed requirements of the other six Safe Harbor Framework Principles. For example, some organisations’ privacy policies are only two sentences long.

Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers.

The Galexia study is part of a broader comparative study of privacy legislation and privacy self-regulation.[3]


[2] <http://www.ita.doc.gov/td/ecom/aaron114.html#Safe>

[3] See also: Connolly C, Trustmark Schemes Struggle to Protect Privacy, 26 September 2008, <http://www.galexia.com/public/research/assets/trustmarks_struggle_20080926/> and Connolly C, Asia-Pacific Region at the Privacy Crossroads, 25 August 2008, World Data Protection Report, volume 8, number 9, <http://www.galexia.com/public/research/assets/asia_at_privacy_crossroads_20080825/>.