In December 2008, an international report on the U.S. Safe Harbor Agreement (“Safe Harbor”) was released. The report was part of a study examining the agreement between European Data Commissioners and the U.S. Department of Commerce, which was signed in 1998. Under the European Union Data Protection Directive (“European Data Directive”), a member state must implement laws that only permit transfers of data from member states to third party countries that provide adequate levels of data protection. The European Union has yet to find that the United States provides an adequate level of data protection. The Safe Harbor therefore allows U.S. businesses to transfer data from Europe to the United States without complying with the European Union member states’ requirements governing data transfers. By utilizing the Safe Harbor, a U.S. business can self-certify through the Department of Commerce that it provides an adequate level of privacy protection thereby satisfying the European Data Directive requirement.

The report concludes that the Safe Harbor has been ineffective. The study found that only 22% of the registered companies complied with the basic principles of the Safe Harbor; while many organizations claiming to provide adequate data protection actually failed to meet some of the basic requirements. For instance, many companies failed to publicly post a privacy policy or to identify an independent dispute resolution process for consumers.

By making false or misleading statements regarding membership or compliance with the Safe Harbor program, a business may open itself up to an enforcement proceeding by the Federal Trade Commission (“FTC”), which deems false claims as unfair or deceptive acts or practices that are actionable under Section 5 of the FTC Act. Below is a list of common compliance issues related to privacy policies that a business thus ought to consider if it participates in the Safe Harbor:

  • Audit your practices to evaluate whether your company complies with the Safe Harbor requirements and that your privacy policy accurately reflects your company’s practices.
  • Your privacy policy should address all 7 Safe Harbor principles: (1) Notice; (2) Choice; (3) Onward Transfer; (4) Security; (5) Data Integrity; (6) Access; and (7) Enforcement.
  • Avoid making false claims regarding the nature of your Safe Harbor certification. For instance, because the Safe Harbor is a self-certification program, refrain from making statements that your company has been certified by the Department of Commerce or the European Union.
  • Make your privacy policy readily accessible on the company website.
  • Post only the official Safe Harbor Certification Mark provide by the US Department of Commerce on your site rather than using unauthorized logos or marks.
  • Immediately preceding the top edge of the mark, provide the following “We self-certify compliance with.”
  • Include the following links to the US Department of Commerce web site in your privacy policy: (1) http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list and (2) www.export.gov/safeharbor.
  • Select with care an independent dispute resolution provider, as required by Safe Harbor Principle 7. Ensure that your membership with such a dispute resolution provider remains current.
  • Confirm that your company annually renews its selfcertification. The report found that numerous companies claimed compliance, but had not renewed their certification.