Sensitive data concerning European citizens and companies is not safe in the U.S., legal experts warn. Many U.S. companies are wrongfully claiming they are certified to store and process data from Europe, a practice that has been going on for about 10 years.
The federal government in Washington, D.C., does not provide meaningful oversight, and the European Commission is ignoring the swindle, say the experts. Moreover, a research report highly critical of the fraudulent practices has been withheld for months.
The European Commission must clarify and rectify this situation, according to Sophie in 't Veld, a Member of the European Parliament, where she sits with the Alliance of Liberals and Democrats for Europe.
Data safe haven?
The Safe Harbor principles form a crucial agreement between the E.U. and U.S. Only U.S. companies that are certified are allowed to process and store data of European consumers and companies.
There are seven principles, including "unambiguous consent" and an opt-out for those involved, reasonable data security, and clearly defined and effective enforcement. All U.S. companies providing e-mail, chat services, social networking or cloud computing facilities must meet all seven requirements. Over 2,000 companies have been certified, including giants like Microsoft, Facebook and Google.
The safety of this harbor is not absolute, though, as the U.S. government can demand any data and plough through it if the Patriot Act is invoked.
Self-regulation turns to chaos
But there is much more going on. The rules and policies of Safe Harbor are as soft as butter and there's no oversight. The main problem lies with the U.S. Department of Commerce, which administers the Safe Harbor list of companies. Companies put themselves on this list through self-certification, without anybody checking anything.
The result of this self-regulation is disastrous. Hundreds of U.S. companies claim they are certified, without meeting the necessary conditions. These problems had already surfaced in 2002 and 2004, when the E.U. commissioned two studies.
In 2008 nothing had improved and the independent research and consultancy company Galexia reached shocking conclusions. Of the 1,597 organizations on the Safe Harbor list, only 348 met all seven principles in the most basic way, Galexia reported.
Moreover, hundreds of U.S. companies displayed the Safe Harbor seal on their website, while they were not even registered. The report covers a long list of mistakes, abuse, carelessness and downright fraud.
The bottom line, according to Galexia: "Until the Safe Harbor is reviewed and improved, consumers and business should approach all claims made regarding the Safe Harbor with great care, and undertake their own investigations before providing any personal information to U.S. organisations."
That was in 2008. Since then, not much has changed. Last year the U.S. Federal Trade Commission (FTC) sued six companies for false Safe Harbor claims. These cases were all quickly settled. At the end of 2009 there were renewed talks between the E.U. and the U.S.
But the chaos and fraud continues. In July of this year Galexia director Chris Connolly presented the results of a follow-up study. 2,170 U.S. companies now claim to have the Safe Harbor certification, but 388 of them were not even registered with the Department of Commerce. There are 181 companies still on the list with certificates that have expired. As many as 940 companies make no effort to inform about how they implement and enforce the Safe Harbor principles, while 314 companies provide a dispute resolution scheme that costs between $2,000 and $4,000 -- a costs that is against the principles.
The final report was due to be published in August, but is hasn't come out. The only details available come from the data protection agency of the German state of Schleswig-Holstein, which reported on a presentation made by Connolly. "These numbers come from the presentation that Mr. Connolly did in July in Cambridge. The report was to be released in August, but since then we haven't heard from him," said a spokesman for the data protection agency.
Connolly hasn't returned numerous calls and e-mails. A spokesman for Galexia maintains that he is "very busy". The spokesman does however provide a cryptic explanation why the report has not yet been published. "The results are quite controversial. Some parties were not too happy." There's no confirmation that the report will be published at all.
Safe Harbor bankrupt
"If you read the findings and conclusions, I'm a little bit shocked. This is pretty severe. In the past 10 years, very little seems to have changed," says Leo van der Wees, scholar at the Tilburg Institute for Law, Technology and Society at the University of Tilburg.
"All the more reason to say: Safe Harbor is nice and all, but we Europeans won't come back until it is properly regulated. And if you are contracting an American company claiming it's Safe Harbor certified, do not assume it actually is," warns Van der Wees.
"I'm afraid that the Safe Harbor has very little value anymore," says Theo Bosboom, IT lawyer with Dirkzager Lawyers. "The idea itself was not so bad, but if there is no oversight, and every company can claim certification without suffering any consequences if they are wrong or fraudulent. The seal is no longer reliable. You can see that this has already happened."
So Europeans had better keep their data in Europe? Certainly, advises Bosboom. "When companies ask me, 'Is this an issue?' I say yes, definitely. If alternative companies offer the guarantee that data stays within the European Union, that is without a doubt the best choice, legally."
Clarification from the European Commission
Member of the European Parliament Sophie in 't Veld has pledged to raise Parliamentary Questions that demand clarification from the European Commission on the Safe Harbor abuses. "The Commission must tell us what they know about these reports and why nothing was done about it," she said. She also wonders whether the FTC should have stepped in much earlier.
The issue at hand deserves much more attention, says In 't Veld. "It's a typical lack of privacy awareness and priority in the U.S. but also in Europe. The E.U. and the U.S. have full-blown trade wars about almost anything, but a total lack of control over cross-border processing and storage of private data of hundreds of millions of Europeans can apparently be ignored for years."
In 't Veld has her hopes pinned on a comprehensive Treaty on Transatlantic Data Protection that is currently in the works in Brussels and Washington. The E.U. itself is overhauling its data protection directive as well. "This is a very good time to strengthen data protection, not only vis-a-vis the government, but also in the private sector. It's long overdue," she said.
European Commissioner Neelie Kroes last week announced new rules concerning data protection and cloud computing. But whether that means the end of the controversial Safe Harbor code is not yet clear.
IT lawyer Bosboom thinks Safe Harbor is ready for oblivion, but he also hopes that Europe and the U.S. will agree to a binding treaty on cross-border data processing. Still, he is skeptical of the chances of such a treaty. "The U.S. and Europe think very differently about privacy. These issues with Safe Harbor demonstrate this clearly once more."
However, some new regulatory framework is needed, and quickly, says Bosboom. "Much of the international business community struggles with this. Current law and legal practice is simply not suited to cloud computing, while there's a huge need for it. Surely something must be done."