The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.
The privacy responsibilities of the National Telecommunications and Information Administration of the Department of Commerce originated with the establishment of a privacy coordinating committee by President Jimmy Carter in 1977 as part of a presidential privacy initiative.  The staff that carried out the work was transferred to NTIA at the time of its establishment in 1978. 
With the adoption of the European Union’s Data Protection Directive  in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 generally provides that exports of personal data from EU Member States to third countries are only allowed if the third country ensures an adequate level of protection. While some countries have been found to provide an adequate level of protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate.
Report home | Read the report (PDF) | Previous section | Next section Three studies of the Safe Harbor Framework were conducted since the start of Safe Harbor. The first study was conducted in 2001 at the request of the European Commission Internal Market DG [2001 Study].  The second study, completed in 2004,
The shortcomings of the Safe Harbor Framework have come to the attention of some data protection authorities in Europe. In April 2010, the Düsseldorfer Kreis, a working group comprised of the 16 German federal state data protection authorities with authority over the private sector, adopted a resolution applicable to those who export data from Germany to US organizations that self-certified compliance with the Safe Harbor Framework. The resolution tells German data exporters that they must verify whether a self-certified data importer in the US complies with the Safe Harbor requirements.