The US Safe Harbor - Fact or Fiction? (2008)
2. Previous reviews of the Safe Harbor Framework
It is important to note that the manager of the Safe Harbor Framework – the US Department of Commerce – holds the Safe Harbor Framework in very high regard, and considers it a success. In October 2007 the Department of Commerce claimed that the ‘EU view Safe Harbor as a Best Practice and Gold Standard for data protection’.[4]
There is, however, no other evidence available that the EU view the Safe Harbor as a ‘gold standard’ – the more common view is that the Safe Harbor is a practical compromise. The EU reviewed the Safe Harbor in 2002 and again in 2004. Both studies raised significant concerns.
The 2002 review found that ‘a substantial number of organisations that have self-certified adherence to the Safe Harbor do not seem to be observing the expected degree of transparency as regards their overall commitment or as regards the contents of their privacy policies. Transparency is a vital feature in self-regulatory systems and it is necessary that organisations improve their practices in this regard.’ The 2002 review was also critical of the available dispute resolution mechanisms at that time.[5]
The 2004 review examined 10% of Safe Harbor organisations in detail, resulting in a long list of criticisms, including concerns that a number of companies failed to identify an Alternative Dispute Resolution body. They also raised concerns that ‘some alternative recourse mechanisms still fail to comply with applicable Safe Harbor requirements’ and ‘less than half of organisations post privacy policies that reflect all seven Safe Harbor Principles’.[6]
[4] Greer D, The U.S.-E.U. Safe Harbor Framework, presentation to the Conference on Cross-Border Data Flows, Data Protection, and Privacy, Washington DC, October 2007,
<http://www.SafeHarbor.govtools.us/documents/1A_DOC_Greer.ppt>.
[5] European Commission, The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles, 13 February 2002, page 2,
<http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/sec-2002-196/sec-2002-196_en.pdf>.
[6] European Commission, The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles, 20 October 2004,
<http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/sec-2004-1323_en.pdf>.