Hundreds of US Companies Lie about Safe Harbor Conformance


Related Links

Related Stories

  • EU's Data Protection One-Stop-Shop Inches Forward
    Current European data protection laws require that multinationals abide by the national data protection law in each country in which they operate. This is burdensome. To ease this burden, the proposed General Data Protection Regulation includes a one-stop-shop principle. But this is proving problematic.
  • French Data Protection Authority will Impose Sanctions on Google
    The French DPA, CNIL, announced Friday that it "will now designate a rapporteur for the purpose of initiating a formal procedure for imposing sanctions" against Google over the search giant's failure to comply with a six-point ruling laid down on June 20, 2013.
  • Europe to Re-evaluate Safe Harbor Agreement
    Following the European Parliament's decision to launch an inquiry into US surveillance programs – and similar European programs – vice president Viviane Reding has informally announced that the European Commission will re-evaluate the EU/US safe harbor agreement.
  • Spy scandal: Merkel Demands Commitments from US; Reding Lends Support; Britain Objects
    On Sunday German Chancellor Angela Merkel made her strongest comments yet on the NSA/GCHQ spying scandal; while on Monday EU Justice Commissioner Viviane Reding welcomed Merkel's commitment to support strong and uniform EU data protection rules.
  • ICO says Google is in breach of the Data Protection Act and must conform by September
    The Information Commissioner's Office (ICO) has written to Google and told it to amend its aggregated privacy policy. In March 2012 Google combined some 70 different privacy policies across its services into a single policy, "which will mean," it said, " a simpler, more intuitive Google experience."
  • EU data protection laws cannot be used to 'censor' Google
    In the Opinion of the European Court of Justice Advocate General Niilo Jääskinen, search engine providers -- in this case, specifically Google -- cannot be held liable under current EU data protection rules for personal data held on the web pages they process.

Top 5 Stories


Hundreds of US Companies Lie about Safe Harbor Conformance

10 October 2013

The adequacy of the EU-US Safe Harbor agreement that ensures US companies provide the same levels of data protection to EU personal data as that provided by European law has been called into question during a LIBE committee meeting.

Safe Harbor is a streamlined process that allows US companies to be acceptable to EU data protection regulations. Those regulations stipulate that EU personal data cannot be sent outside of Europe unless to a country or company that has adequate levels of protection. The US does not have those acceptable levels. Safe Harbor is a process that allows individual American companies to transfer personal data provided they conform to the seven Safe Harbor Principles agreed between the EU and the US. The majority of US companies self-certify each year.

The adequacy of the Safe Harbor agreement has been called into question following the Snowden release of documents detailing the collection of European personal data by the NSA via large US companies trading in Europe. "The Safe Harbor agreement may not be so safe after all,” said EU commissioner for Justice Viviane Reding at the informal justice council in Vilnius in July.

This week, as part of its inquiry on 'Electronic Mass Surveillance of EU Citizens' the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee discussed  Safe Harbor.

Giving evidence was Galexia, an Australian management consultancy with a history of examining Safe Harbor operations. In 2008 Galexia published a report that concluded, "The EU should take a more ‘hands-on’ approach to ensuring that the Safe Harbor is providing basic privacy protection." In 2010, Privacy Law and Business International quoted Galexia in an article discussing the FTC action against six US companies over false Safe Harbor claims: "Although these six organisations have been taken to task for false claims, I calculate there are more than 300 organisations currently making a false claim of Safe Harbor membership. More action is required."

Speaking at the LIBE committee meeting this week (reported in EUobserver), Chris Connolly, a director at Galexia, said that his latest research shows that 427 US companies now make false claims over Safe Harbor. “In those 427 organizations, you will find large household names in Europe, with hundreds of millions of customers,” he said.

The problem, however, goes much deeper. One of the Safe Harbor principles is that there must be an effective means of enforcing the rules. This comes down to dispute resolution, but Connolly told the committee that around 30% of all registered companies (there are almost 3000 self-certified companies) give no information on dispute resolution options. Of those that do, 460 cite the American Arbitration Association as their resolution provider. The American Arbitration Association charges the complainant between $120 and $1,200 per hour (minimum 4 hours) plus a $950 administration fee.

“It would be dangerous to rely on Safe Harbor to manage any aspect of the specific national security issue we face now without first addressing the broader issue of false claims and non-compliance,” Connolly said. However, it is also worth noting that large sections of European personal data – the financial records, travel records and data and voice carried by US telecommunications providers – are exempt from Safe Harbor requirements.

This article is featured in:
Compliance and Policy


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×