Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

Dies ist unser Webangebot mit Stand 27.10.2014. Neuere Artikel finden Sie auf der ├╝berarbeiteten Webseite unter www.datenschutzzentrum.de.



10th Anniversary of Safe Harbor – many reasons to act, but none to celebrate

Ten years ago, on July 26th, 2000 the Commission of the European Union (EU) has adopted a decision recognizing the “safe harbor” principles, an arrangement put in place by the US Department of Commerce. With these principles the EU Commission generally recognizes an adequate level of protection for US companies who have self-certified adherence to a set of data protection principles. Self-certified companies benefit from a simplified data exchange between the EU and the USA. Ten years ago, the rather sceptical EU Parliament and the Art. 29 Working Party, the European advisory body on data protection and privacy, demanded an early official review. In the opinion of the Independent Centre for Privacy Protection (ULD, Unabhaengiges Landeszentrum fuer Datenschutz), the office of the Data Protection and Privacy Commissioner of Schleswig-Holstein, this review is long overdue. And according to the facts known today, a negative turn out is anticipated.

US companies’ self-commitment to safe harbor concerns the following:

  1. Notice: An organization must inform individuals about the data processing and about possibilities to file inquiries or complaints;
  2. Choice: An organization must provide a general opportunity for individuals to choose to object (opt out) and must ask for consent (opt in) for processing of sensitive data;
  3. Onward Transfer: Disclosure of information is only permitted if the recipient adheres to the notice and choice principle;
  4. Security: Protection of data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
  5. Data Integrity: Observance of purpose limitation of data;
  6. Access: Right to access personal information hold by an organization about the individual concerned;
  7. Enforcement: Mechanisms for assuring effective compliance and data subjects rights.

On July 5th, 2010 the Australian privacy researcher Chris Connolly presented at an international privacy conference in Cambridge, UK, results from his second study on US companies’ compliance with the safe harbor principles. According to his findings, 2170 US companies claim to be safe harbor privileged; whereof 388 were not even registered with the Department of Commerce (DOC). Among the registered companies 181 certificates were found to be not current due to lapse of time. The check on the 7th principle concerning enforcement alone showed that 940 out of the 2170 US companies do not provide information on how to enforce individuals’ rights. 314 companies provide a dispute resolution scheme that costs between 2000 and 4000 US dollars. Thus, it is hardly surprising that not a single complaint procedure has been carried out. Despite the more than 2000 annual complaints about non-compliance with the safe harbor principles, the Federal Trade Commission (FTC) has prosecuted only seven organisations for falsely claiming safe harbor self-certification. The detailed results of the study will be published in August 2010.

Following the similar disastrous results from the 2008 study, no noticeable conclusions have been drawn by those responsible in the US. Even after negotiations between the EU and the US in December 2009, US authorities have not shown visible measures to stop the misuse of safe harbor.

ULD head Thilo Weichert comments on occasion of the 10th anniversary: „From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately. Due to the close economic relations nobody in the EU seems to have the courage to do it. The least that should be done is to demand from the US short term positive evidence concerning enforcement of the safe harbor principles. It is necessary to immediately re-open negotiation to revise the principles and to make them effective. In the internet alone hundreds of US companies, including Google and Facebook, bustle about claiming safe harbor and thus declaring themselves empowered to process the data of millions of European citizens and earning a lot of money without anyone – neither individuals nor data protection authorities - being able to check on them.”

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Holstenstr. 98, 24103 Kiel
Tel: 0431 988-1200, Fax: -1223