In order to address the fact that the United States does not have a data protection law, but that US companies need to deal with Europeans whose data is protected by the EU Data Protection Directive, the Safe Harbor Framework was thrashed out in 2000 between the European Commission and the US Department of Commerce. It aimed to ensure that US firms complied with EU data protection laws when handling EU citizen’s data
An entirely voluntary set of rules anyway, companies are entitled limit their compliance to human resource data, or consumer data, or just offline data. It also provides no protection for EU citizens’ data, financial records, travel records, voice calls and text messages that are carried by US telecoms companies, and which therefore have no legal protection against the activities of the NSA, and are liable to inspection by US authorities under the Patriot Act.
Of the around 3000 companies that have signed up to the Framework (weak as it is), a 2008 report from research company Galaxia found that over 200 had lied about conforming to its guidelines. A new report from Galaxia shows that in 2013 this number had risen to 427,
‘In those 427 organisations, you will find large household names in Europe, with hundreds of millions of customers’, Christopher Connolly, a director at Galexia, told the European Parliament’s civil liberties committee in October (2013).
Connolly also observed that in addition to this, many companies add Safe Harbor logos and seals to their websites without ever having joined the framework in the first place. Of those companies that have signed up to the agreement, around 30 percent flout the rules by not displaying dispute resolution options, or even worse, referring users to agencies that charge thousands of dollars to file a complaint (460 member members use the American Arbitration Association, an organization which charges between $120 and $1200 per hour with a four-hour minimum charge, plus a $950 administration fee to anyone filing a complaint).
In theory it is up to the US Federal Trade Commission (FTC) to enforce the Framework standards and deal with false claims, but despite much lobbying from privacy advocates it has only filed six cases, all against small companies, and no sanctions were made. Despite this, the FTC insists that the Safe Harbor framework protects EU citizen’s data,
‘We think it is a great way for us to protect European citizens when we are doing a case involving a US company,” said FTC commissioner Julie Brill in Brussels in March last year.
In November, in its report ‘Communications on Rebuilding Trust in EU-US Data Flows and on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU,’ the European Commission proposed a number of reforms to the Framework.
However, at around the same time EU commissioner for Justice Viviane Reding said that ‘an overwhelming majority’ of EU justice ministers gave her ‘a very strong political endorsement’ for a new and separate EU data privacy bill.
The proposed bill, which it is hoped will be ready for adoption before the EU elections in May this year (2014), will allow EU citizens to direct data handling complaints against US companies such as Google and Facebook to a national data chief.
How far this strengthening of European’s data protections against blasé US companies will go in practice we will have to wait and see, but it is heartening to see a groundswell of resistance to, and a growing awareness of, the data abuses routinely perpetrated by US tech companies.