got privacy?  Musings on the state of Privacy in a connected world.
 
The Federal Trade Commission (FTC) has settled with 6 organizations that claimed falsely that they complied with Safe Harbor (Sidenote: I still have to stop myself from spelling it "Harbour" even though I've lived in the US for a few years...). 

For those of you not familar with Safe Harbor, it is a way for US organizations to share data between the US and Europe even though there are very different data protection legislative environments in place.  There is a fundamental right to privacy in the draft European Constitution, but not in the US constitution - http://www.edri.org/edrigram/number12/privacy-eu-constitution

Safe Harbor is a self-certification process.  Organizations can download the principles from the FTC website, review their practices against them and then pay a nominal fee to be included in the list of organizations that are Safe Harbor "compliant".  So far, so subject to abuse?  Frankly I am amazed that the EU has allowed this self-certification process to continue for so long when it provides so little real comfort that organizations are doing what they need to to protect EU Citizens personal information.  I guess that it's partly due to the balance of power in the EU / US relationship where the US govenment has no doubt been lobbied hard by business not to make the standard any more onerous.

I'm all for self-regulation when it works, but at Ronald Reagan said "Trust, but Verify".  Now that the FTC has stepped up its actions I wonder how many of the organizations that have gone through the self-certification process will revisit their answers just to check whether they would stand up to an outside inspection.

FTC statement regarding the settlement http://www.ftc.gov/opa/2009/10/safeharbor.shtm
Much more detailed analysis of the case and some possible implications at http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/index.html



Leave a Reply.