got privacy?  Musings on the state of Privacy in a connected world.
The Federal Trade Commission (FTC) has settled with 6 organizations that claimed falsely that they complied with Safe Harbor (Sidenote: I still have to stop myself from spelling it "Harbour" even though I've lived in the US for a few years...). 

For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place.  There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution -

Safe Harbor is a self-certification process.  Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant".  So far, so subject to abuse?  Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information.  I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.

I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify".  Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.

FTC statement regarding the settlement
Much more detailed analysis of the case and some possible implications at

Leave a Reply.