Safe Harbor is a streamlined process that allows US companies to be acceptable to EU data protection regulations. Those regulations stipulate that EU personal data cannot be sent outside of Europe unless to a country or company that has adequate levels of protection. The US does not have those acceptable levels. Safe Harbor is a process that allows individual American companies to transfer personal data provided they conform to the seven Safe Harbor Principles agreed between the EU and the US. The majority of US companies self-certify each year.
The adequacy of the Safe Harbor agreement has been called into question following the Snowden release of documents detailing the collection of European personal data by the NSA via large US companies trading in Europe. "The Safe Harbor agreement may not be so safe after all,” said EU commissioner for Justice Viviane Reding at the informal justice council in Vilnius in July.
This week, as part of its inquiry on 'Electronic Mass Surveillance of EU Citizens' the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee discussed Safe Harbor.
Giving evidence was Galexia, an Australian management consultancy with a history of examining Safe Harbor operations. In 2008 Galexia published a report that concluded, "The EU should take a more ‘hands-on’ approach to ensuring that the Safe Harbor is providing basic privacy protection." In 2010, Privacy Law and Business International quoted Galexia in an article discussing the FTC action against six US companies over false Safe Harbor claims: "Although these six organisations have been taken to task for false claims, I calculate there are more than 300 organisations currently making a false claim of Safe Harbor membership. More action is required."
Speaking at the LIBE committee meeting this week (reported in EUobserver), Chris Connolly, a director at Galexia, said that his latest research shows that 427 US companies now make false claims over Safe Harbor. “In those 427 organizations, you will find large household names in Europe, with hundreds of millions of customers,” he said.
The problem, however, goes much deeper. One of the Safe Harbor principles is that there must be an effective means of enforcing the rules. This comes down to dispute resolution, but Connolly told the committee that around 30% of all registered companies (there are almost 3000 self-certified companies) give no information on dispute resolution options. Of those that do, 460 cite the American Arbitration Association as their resolution provider. The American Arbitration Association charges the complainant between $120 and $1,200 per hour (minimum 4 hours) plus a $950 administration fee.
“It would be dangerous to rely on Safe Harbor to manage any aspect of the specific national security issue we face now without first addressing the broader issue of false claims and non-compliance,” Connolly said. However, it is also worth noting that large sections of European personal data – the financial records, travel records and data and voice carried by US telecommunications providers – are exempt from Safe Harbor requirements.