Commerce and International Privacy Activities: Safe Harbor Studies

 Report home | Read the report (PDF) | Previous section | Next section

 

Three studies of the Safe Harbor Framework were conducted since the start of Safe Harbor. The first study was conducted in 2001 at the request of the European Commission Internal Market DG [2001 Study]. [29] The second study, completed in 2004, was also conducted at the request the European Commission Internal Market DG [2004 Study]. An international group of academics conducted the study. [30] The third study was prepared by Chris Connolly, director of an Australian management consulting company with expertise consultants in privacy, authentication, electronic commerce, and new technology [2008 Study]. [31]

Analysis: The 2001 Study

The 2001 Study was completed when the Safe Harbor Framework was new, and the number of organizations participating in Safe Harbor was small relative to later years. The report found one or more shortcomings with the participation of “virtually every single adherent”. [32] The report’s threshold observations offer a summary of the problems uncovered:

For the few organizations that did adhere to the Safe Harbor, the collection of documents often presented an array of problematic certifications and policies. In particular and as discussed below, these problems were:

(1) corporate policies were often hard to find;
(2) companies self-certified despite non-existent or publicly unavailable policies; (3) companies had ambiguous and contradictory policies;
(4) companies restricted the scope of application of their policies;
(5) companies described their data processing activities in an incomprehensible manner;
(6) companies provided policies of uncertain authenticity; and,
(7) companies appeared to make false and misleading statements in their certification statements or policies. [33]

The report’s conclusions are stark, finding an “abysmal level of implementation”. [34] The conclusions are reproduced here in full:

For Safe Harbor to succeed as a substitute for statutory data protection, the implementation by companies should be thorough and unequivocally compliant with the full set of principles.

The trends that emerged from this detailed analysis of the information made publicly available by the companies that have certified their adherence to Safe Harbor reflect an abysmal level of implementation. One year after the effective date of Safe Harbor, the number of adherents is trivial with few major international corporations. The commitments of the few adherents are often qualified. Substantial numbers of adherents disregard important required principles (even when the trend shows majority compliance.) And, the independent recourse mechanisms lack the basic required remedies.

The complexity and confusing array of privacy statements made by the certifying companies are analytical obstacles that make an objective measurement of their compliance with the Safe Harbor Privacy Principles extremely difficult for all of the criteria. The very fact that so many Safe Harbor certifications and policies were non-transparent indicates an unsatisfactory implementation of Safe Harbor.

In itself, this threshold observation also means that interested parties such as the US Department of Commerce, the European Commission, national data protection supervisory authorities and data subjects in Europe will each have a difficult time confirming the substance and applicability of policies of companies purporting to adhere to Safe Harbor.

Some of the implementation problems are technical such as the failure to include specific mention of Safe Harbor in corporate policies. Others, such as the failure to stipulate data subject access and the failure to satisfy the enforcement principle, are more troubling. The magnitude of the compliance deficiencies suggests that the Safe Harbor principles will continue to be difficult to implement. Vigorous enforcement by the Federal Trade Commission might improve some aspects of the implementation by companies, but would be unlikely to increase the number of adherents.

In light of the widespread failures by companies to incorporate the Safe Harbor principles in their privacy policies and to adopt conforming enforcement mechanisms, the European Commission and the US Department of Commerce might be able to advance the satisfactory implementation Safe Harbor through requiring the accreditation of privacy programs and independent dispute resolution bodies. If a privacy program fully incorporates the principles of Safe Harbor in the rules of membership, then the program could be accredited to issue a Safe Harbor compliant seal. This accreditation and seal would demonstrate satisfactory implementation of the Safe Harbor and would give the private sector a means to assure compliance with the substantive standards.

Similarly, the accreditation of independent dispute resolution bodies would assure that the substantive requirements of Safe Harbor for complaint investigation and dispute resolution were met and would assure that appropriate remedies were available. Membership in an accredited privacy program and the use of an accredited dispute resolution body would efficiently demonstrate compliance with the Safe Harbor.

At present, the European Commission, the US Department of Commerce and the US Federal Trade Commission face disregard and even failure by the registered organizations in their implementation of the Safe Harbor. [35]

In summary, few companies joined the Safe Harbor Framework in the first year. Those that did join had a low level of compliance with the requirements of the framework. There is no evidence from the 2001 Study that the Department of Commerce took any significant action to oversee participation in the Safe Harbor Framework or to take steps to enforce compliance with its requirements.

A 2002 EU Commission Staff Working Paper [36] based on the 2001 Study [37] confirmed the shortcomings found in the study. One of the Working Paper’s conclusions was:

A substantial number of organisations that have self-certified adherence to the Safe Harbour do not seem to be observing the expected degree of transparency as regards their overall commitment or as regards the contents of their privacy policies. Transparency is a vital feature in self-regulatory systems and it is necessary that organisations improve their practices in this regard. [38]

Although the EU acknowledged the problems and shared the results with the Department of Commerce, [39] it appears that there was no change on the part of the EU Commission or the Department.

Analysis: The 2004 Study

The 2004 Safe Harbor Study was conducted after the Safe Harbor Framework had been in place for several years, and it found 401 participating organizations. This represented a significant increase in participation from the date of the earlier study. The 2004 study found some positive and important albeit “minimal” tendencies with respect to formal Safe Harbor requirements. However, the study also found “numerous” deficiencies in the way that Safe Harbor had been implemented. The first part of the study’s conclusion [40] – including what it described as “the most alarming deficiencies” – is included here in full:

IV. Conclusions

The SH implementation review indicates that although participating US organizations have made efforts to accommodate privacy concerns, important improvements are required to ensure that safeguards for personal data streams under the SH are adequate. As a general observation, the majority of the reviewed US organizations seem to have difficulties in correctly translating the SH principles into their data-processing policies. Implementation deficiencies are not necessarily the result of bad faith but likely find their origin in confusion over the obligations of SH and perhaps a different perception of what personal data protection involves. These problems can be overcome by providing better guidance on the mechanics as well as the meaning of the SH data protection principles.

It is regrettable that the FTC’s response to the questionnaire was considerably delayed and came only after repeated requests. The same can be said in respect of the 5 EU/EEA DPAs which have not answered the questionnaire. This weakness in responses does not reflect positively on the vitality of the SH.

SH participants generally scored well as regards formal requirements that need to be fulfilled in the certification process. The positive tendencies, as described in the report, are minimal but nonetheless important. They demonstrate that US organizations are sensitive to the data protection issue and are willing to invest resources in compliance. It should not be forgotten in this regard that a thorough understanding of data protection matters has also taken a long time to evolve in Europe and is an ongoing process.

1. Deficiencies Observed

From a legal point of view, however, there are numerous deficiencies in the way in which SH has hitherto been implemented. The most alarming deficiencies are as follows:

1.1 SH Principles

• Transparency and comprehensibility of notices or privacy policies were often deficient: privacy policies were generally difficult to read and were often not able to provide clear insight into data-processing activities and associated risks. While privacy policies showed important quality differences, all of them suffered from some deficiency (major or minor). The nature of the enforcement system of the SH regime may limit transparency. Exposure to liability under the SH scheme is directly linked to explicitness and clarity of announced data protection practices.

• Choice was not clearly mentioned or lacking entirely. Choice is crucial for individuals to have minimal control over the processing of personal data pertaining to them. Without effective choice, personal data can be imported, used and distributed with little restriction. Representations regarding the affordability of choice were usually missing.

• With respect to onward transfers, the status of mentioned “third parties” was not always clear (e.g. “partner”, “affiliate”, etc.), and as a consequence, it was neither clear if those parties were acting in their controller or processor capacity. Express commitment of third party processors to respect the SH was lacking in certain cases. Apart from these problems, the flexibility offered by this principle could be used to circumvent EU law.

• Deficiencies were found also with respect to adoption of security measures. Certain companies did not represent adopting such measures.

• Regarding data integrity, the relevance of the data for the intended use was difficult to determine, since either the “purpose”, the “data type” or the “activities” conducted were not specified at all or not clearly formulated.

• The principle of access tended to be weakly implemented. The right was often limited to contact information or not offered at all. Representations regarding the affordability of access were generally missing.

1.2 Self-Certification

• The entry, “Personal information received from the EU”, in the DoC self- certification form presented many disparities in the answers given by companies. Some described the activities they conduct or gave a description of their business model, some described the purposes for processing, while some described the type of data imported.

• The requirement of accurate location of the privacy policy was not entirely fulfilled. Some of the provided hyperlinks did not work, some led to the home- page of the company where it was sometimes difficult to find the proper link to the privacy policy.

• The FTC was mentioned by the companies importing human resources data as the statutory body with jurisdiction to hear claims against the companies, yet the jurisdiction of the FTC in this respect is dubious.

• Many companies claimed to be members of privacy programs that are not really privacy programs.

1.3 Privacy Programs

• The analysed privacy programs did not incorporate all SH principles (or incorporated certain SH principles deficiently).

1.4 Enforcement

Whereas no concrete cases have been analysed (given the apparent paucity of enforcement cases or complaints received by enforcement bodies), only the implementation of the enforcement principle and FAQ 11 were assessed. Therefore, any statement as to whether enforcement bodies are fulfilling their role is limited to the application of the said SH obligations either in privacy policies or by ADR organizations’ description of procedural rules. The following deficiencies were revealed:

• Organizations agreed to co-operate with the DPA Panel (even if they did not process human resources data), but generally did not represent their acceptance to comply with the DPA Panel’s advice. This is alarming, especially with respect to data imports outside the jurisdiction of the FTC (arguably the case with human resources data).

• The different sanctions foreseen by FAQ 11 were not always available in the ADR mechanisms analysed.

• Publicity of findings was not fully guaranteed.

• For certain dispute resolution bodies/programs there was no indication or guarantee that the dispute would be heard by experts on SH or data protection. Enforcement mechanisms were insufficiently reflected in the privacy policies, and data subjects would have had to conduct extensive research to obtain information about the complaint procedure (mostly by checking the website of the privacy program/ADR organization). [41]

For many of the areas of deficiency found in the study, the shortcomings of the self-certifications should have been apparent on the face of the application. The study found that specific required elements for a Safe Harbor certification were not often included. In some instances, essential principles were omitted or stated in a deficient manner.

The study seemingly tries to avoid evaluating the role of the Department, but it still manages to comment on the limited review by the Department and the presence of inconsistencies that a good faith review should have found. The key paragraph of the study on this point states:

It is noteworthy that the DoC spends one business day for the review of a self- certification. However, part 2 of the present study (i.e. the extensive analysis of certification pages) indicates that the certification pages published on the DoC website often contain important inconsistencies. In particular, there are problems with the exact location of the privacy policies and with references to privacy programs that are not really such programs. [42]

Overall, the problems with the Safe Harbor Framework found by the 2004 Study suggest strongly that the Department of Commerce paid limited attention to reviewing Safe Harbor documents submitted to it. This conclusion is consistent with the results of the 2001 Study, which can no longer be discounted because Safe Harbor activities were new in 2001. The same problems clearly persisted over time. [43]

Analysis: The 2008 Study

The 2008 Study is the only independent review of the Safe Harbor Framework outside of the US or the EU. By the time of the study, there were 1,597 organizations listed as enrollees in the Safe Harbor. The study only examined the compliance of all of these organizations with respect to one of the seven Safe Harbor principles (Principle 7 – Enforcement and Dispute Resolution), but the study assessed compliance with Principle 7 by all 1,597 organizations and not just a sample.

The conclusions show that the general of level of compliance continued to be poor. Of the 1,597 organizations listed, the study found that only 1,109 were current members. This in itself is an astonishing finding. Another troubling finding of the study is the level of false advertising around Safe Harbor. The study found that some of the non-member companies listed on the Safe Harbor site also claimed certification by Truste or BBB when no such certification existed, and some companies went so far as to craft a fake Department of Commerce “seal.”

Measuring by compliance with the single enforcement and dispute resolution principle, the study found that only 348 organizations out of the 1,597 met the requirements. It seems certain that any assessment of compliance with the other six remaining Safe Harbor requirements would have found even fewer organizations to be in compliance.

The highlights of the study are:

Compliance:

• Although the list contained 1,597 entries, only 1,109 organisations were current members of the Safe Harbor Framework. Many organisations on the list no longer exist or they have failed to renew their certification. The list also includes double entries.

• Only 348 organisations meet even the most basic requirements of the Safe Harbor Framework. Many organisations did not have a public privacy policy, or the policy failed to even mention the Safe Harbor. A large number of organisations failed to comply with Principle 7 – Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.
• 209 organisations selected a dispute resolution provider that was not affordable. These include the American Arbitration Association (AAA) that costs between $120 and $1,200 per hour (with a four-hour minimum charge plus a $950 administration fee), and the Judicial Arbitration Mediation Service (JAMS) that costs $350 to $800 per hour (plus a $275 administration fee). Organisations either failed to disclose these costs or required the consumer to share these costs.

False and/or misleading information:

• 206 organisations claim on their public websites to be members of the Safe Harbor when they are not current members. Many of these false claims have continued for several years.

• 36 of these 206 false claimants were also accredited by a third party as being current members of their Safe Harbor trustmark scheme (e.g. the TRUSTe Safe Harbor and BBB Safe Harbor programs), even though these organisations are not current members of the official Safe Harbor.

• 73 organisations claimed to be members of a Privacy Trustmark Scheme (e.g. TRUSTe or the BBB Safe Harbor program) when they are not current members of those schemes, or they claimed to be members of BBB Online Privacy – a scheme that closed 18 months ago and has not accepted any complaints since June.

• 20 organisations displayed a Department of Commerce Safe Harbor ‘seal’ on their website when they were not actually compliant with the Safe Harbor Framework, including numerous unauthorised seals created using graphics software.

• 24 organisations claimed that they had been certified by the Department of Commerce or certified by the EU – when the Framework is actually based on self- certification. [44]

The result of the 2008 study found little improvement in either compliance or data quality since the two earlier EU reviews of Safe Harbor. The 2008 study observes that “the growing number of false claims made by organisations regarding the Safe Harbor represent a new and significant privacy risk to consumers.” [45]

Overall, the three studies found the same problems with Safe Harbor, without any indication of improvement over time in the management of the Department’s Safe Harbor activities. Indeed, a disclaimer on the Department’s Safe Harbor website indicates that Department cannot guarantee the accuracy of the information it maintains. [46] It appears that the Department has made some changes to its website over the years, but there remains a lack of evidence of any substantive efforts to monitor compliance.

 

 

 

______________________________

Endnotes

[29] The Functioning of the US-EU Safe Harbor Privacy Principles, (September 21, 2001). This study was reportedly published by the European Commission, but a copy has not been located on the EU’s data protection webpage or elsewhere on the Internet. The study author is not identified in the document, but a Commission official publicly identified Professor Joel R. Reidenberg as the author, and the 2004 Study also identified Professor Reidenberg as the author. See 2004 Study at note 2.

[30] Safe Harbour Decision Implementation Study (2004), available at <http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf>. As identified in the paper, the authors are Jan Dhont, María Verónica Pérez Asinari, and Prof. Dr. Yves Poullet (Centre de Recherche Informatique et Droit, University of Namur, Belgium) with the assistance of Prof. Dr. Joel R. Reidenberg (Fordham University School of Law, New York, USA) and Dr. Lee A. Bygrave (Norwegian Research Centre for Computers and Law, University of Oslo, Norway).

[31] The US Safe Harbor – Fact or Fiction? (2008), available at <http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_2008/safe_harbor_fact_or_fiction.pdf>.

[32] 2001 Study at 9.

[33] Id.

[34] Id at 26.

[35] Id. at 26-27.

[36] The application of Commission Decision 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (2002) [SEC(2002) 196], available at <http://ec.europa.eu/justice/policies/privacy/docs/adequacy/sec-2002-196/sec-2002- 196_en.pdf>.

[37] Id at 7.

[38] Id. at 2.

[39] Id. at 8.

[40] The second part of the conclusion not reproduced here includes “possible mechanisms for improvement”.

[41] 2004 Study at 105-107 (footnote omitted).

[42] 2004 Study at 95. The study observes that some shortcoming that it found could be the result of changes made to webpages after a certification was accepted by the Department.

[43] EU Commission Staff issued a working document commenting on the 2004 Study. The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (2004) [SEC (2004) 1323], available at <http://ec.europa.eu/justice/policies/privacy/docs/adequacy/sec-2004-1323_en.pdf>.

[44] 2008 Study at 4-5.

[45] Id. at 16.

[46] See <https://www.export.gov/safehrbr/list.aspx> (In maintaining the list, the Department of Commerce does not assess and makes no representations to the adequacy of any organization’s privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list.”)

 

 

Roadmap: The US Department of Commerce and International Privacy Activities – Indifference and Neglect: Safe Harbor Studies

 

 Report home | Read the report (PDF) | Previous section | Next section