Hundreds of US companies lie about Safe Harbor Framework compliance

In order to address the fact that the United States does not have a data protection law, but that US companies need to deal with Europeans whose data is protected by the EU Data Protection Directive, the Safe Harbor Framework was thrashed out in 2000 between the European Commission and the US Department of Commerce. It aimed to ensure that US firms complied with EU data protection laws when handling EU citizen’s data

An entirely voluntary set of rules anyway, companies are entitled limit their compliance to human resource data, or consumer data, or just offline data. It also provides no protection for EU citizens’ data, financial records, travel records, voice calls and text messages that are carried by US telecoms companies, and which therefore have no legal protection against the activities of the NSA, and are liable to inspection by US authorities under the Patriot Act.

Of the around 3000 companies that have signed up to the Framework (weak as it is), a 2008 report  from research company Galaxia found that over 200 had lied about conforming to its guidelines. A new report from Galaxia shows that in 2013 this number had risen to 427,

‘In those 427 organisations, you will find large household names in Europe, with hundreds of millions of customers’, Christopher Connolly, a director at Galexia, told the European Parliament’s civil liberties committee in October (2013).

Connolly also observed that in addition to this, many companies add Safe Harbor logos and seals to their websites without ever having joined the framework in the first place. Of those companies that have signed up to the agreement, around 30 percent flout the rules by not displaying dispute resolution options, or even worse, referring users to agencies that charge thousands of dollars to file a complaint (460 member members use the American Arbitration Association, an organization which charges between $120 and $1200 per hour with a four-hour minimum charge, plus a $950 administration fee to anyone filing a complaint).

In theory it is up to the US Federal Trade Commission (FTC) to enforce the Framework standards and deal with false claims, but despite much lobbying from privacy advocates it has only filed six cases, all against small companies, and no sanctions were made. Despite this, the FTC insists that the Safe Harbor framework protects EU citizen’s data,

‘We think it is a great way for us to protect European citizens when we are doing a case involving a US company,” said FTC commissioner Julie Brill in Brussels in March last year.

In November, in its report ‘Communications on Rebuilding Trust in EU-US Data Flows and on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU,’ the European Commission proposed a number of reforms to the Framework.

However, at around the same time EU commissioner for Justice Viviane Reding said that ‘an overwhelming majority’ of EU justice ministers gave her ‘a very strong political endorsement’ for a new and separate EU data privacy bill.

The proposed bill, which it is hoped will be ready for adoption before the EU elections in May this year (2014), will allow EU citizens to direct data handling complaints against US companies such as Google and Facebook to a national data chief.

How far this strengthening of European’s data protections against blasé US companies will go in practice we will have to wait and see, but it is heartening to see a groundswell of resistance to, and a growing awareness of, the  data abuses routinely perpetrated by US tech companies.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

2 responses to “Hundreds of US companies lie about Safe Harbor Framework compliance

  1. ### I’m sorry to post this comment here. I have been having a hard time posting my comments since last night ###

    Lastly, here is one more thing I want to add.
    I really envy the US citizens, because Cyber privacy/freedom awareness seems prevail and there are so many powerful Cyber privacy/freedom advocates and advocacy groups out over there.
    In our country,(Please don’t tell where it is if you notice it, because I’m so ashamed to be from there) three anti-Cyber freedom statutes, including the ACTA and our version of the DMCA, which this article at the Falkvinge ( called “DRACONIAN” and which I didn’t know about until I had read it , had been passed within a couple of month period, secretly, without public knowledge, without much parliamentary scrutiny and debate, with completely ignoring public hearings, opinions and interests.
    Our law makers are very smart and sneaky, and they made all the above things happen while all public attention was turning toward a bigger issue, “sells tax raise debate”, and while the Lower House is not functioning because of it.
    These people are anti-Cyber freedom, pro copyright actually, because they always work for their own interests and our versions of the MPAA, the RIAA, and the similar, are public and private sectors in which they retire to high-profile positions.
    Our mainstream media are also anti-Cyber freedom., apparently anti-Internet, for obvious reasons.
    They are always trying to convince us that online anonymity is a bad thing.
    Our politicians don’t listen to us, their voters, on such a minor issue at all.
    So, you, European, tell me what the ACTA is?
    List time I checked, Google returned only a few web pages about it in our language, one of them is Wikipedia’s entry.
    Seriously speaking, for the past five years or so, I have found only one tiny article about it in our newspapers JUST ONE TIME in the past five years or so(Well, I can’t say that I had paid much special or enough attention to the ATCA, though. Until recently, I had never been much of an interested in such a legislation, including also the SOPA, PIPA, CISPA, and even DMCA, because I don’t do P2P and I had thought that those laws dealt with just “PIRACY”, but not “PRIVACY”. However, I did always wonder and have an interest in what was with all the fuss about those laws in the US and Europe, anyway).
    I remember that the article gave me the impression that the legislation was first developed in EU and our country had to ratify it as many EU counties would.
    I saw our popular politician saying on his blog that all the fuss about the ACTA in the EU, which none of our mainstream media have ever covered, BTW, was fake or was created by a very small group of people who were not smart enough to appreciate the value of the law, very beneficial to all of us, and assuring us that we had nothing to worry about it.
    Is that true? It seems very different and, if anything, completely opposite to what Wikipedia is saying about it!
    Anyway, most of our peoples haven’t known or noticed this law at all and we don’t really have any control over it!
    That’s why I envy Americans to have privacy advocacy groups such as the EFF and ACLU, as all presses and most journalists in our country are self-important corrupt assholes, although we might have some privacy advocacy attorneys, who could be willing to fight for our digital rights, they should be so powerless that they wouldn’t be capable of changing the world. our country or anything.
    So, significant pressure from the other countries is only our hope, and I’m expecting the TPP and FTAs will help us take our digital rights back from our arrogant anti-Cyber freedom oppressors.
    This is another reason why I prefer to sign up for PIA, because, in doing so, I can be supporting privacy advocacy groups like the EFF.

Leave a Reply

Your email address will not be published. Required fields are marked *