Many U.S. companies are violating the “safe harbor” agreement on protection of personal data and the US Department of Commerce (DoC) and Federal Trade Commsion (FTC) should do something about it, the European Commission said this week.
In July 2000, the U.S. Department of Commerce and the European Commission developed and signed a “safe harbor” framework of data protection principles (“Safe Harbor”). This safe harbor is designed to provide U.S. organizations with a means to satisfy the European Union’s legal requirement that adequate data protections be afforded to personally-identifiable information transferred from the European Union to the United States.
The Commission calls of both the DoC and FTC to be more proactive in scrutinizing US organisations that self-certify to the Principles, to ensure that those companies doing so are actually complying with the safe habor principles. If they are not the FTC should launch investigations where questions exist regarding possible Safe Harbour compliance problems.
The Commission also questioned the effectiveness of some of the alternative recourse mechanisms which “still fail to comply with applicable Safe Harbour requirements, including the obligation to provide for sanctions such as the publication of findings of non compliance”; and question whether the FTC is competent to enforce the Principles given that up to 30 percent of the companies that subscribe to the Safe Harbour Principles do so to import human resources data. The Commission “believes clear guidance needs to be given as to whether the FTC is competent to enforce the Principles in this area”.
On Thursday, 18 November, the U.S. Department of Commerce, will hold a workshop on EU data protection compliance issues and the U.S.-EU Safe Harbor framework in Chicago.
I can not say I am surprised that the US are not complying properly. It does fill me with even more confidence that the deal for sending PNR information is obviously not going to have any problems …