Wednesday, November 03, 2004

The EU have released a report on the workings of the EU and US agreement on privacy "Safe Harbour" provisions. The report and the detailed study it has been based on (which has not yet been released) seem to find significant shortcomings in the compliance of self certifying companies with the requirements of the agreement. The report reaches a number of conclusions:

1. They're pleased that more than 400 US organizations are using Safe Harbour but would like more involved.

2. They're concerned that many of the companies involved either have not published a privacy policy or have privacy policies which do no comply with the Safe Harbour Principles. This means the Federal Trade Commission who are supposed to police companies compliance with their own polices can't do this. The report at this point also suggests the US Department of Commerce could be a bit more careful in scrutinizing self certifying organisations.

3. The Department of Commerce should provide facility on their website to let organizations "state their commitment to comply with the advice given by the EU panel in the event of a dispute without which the FTC would be unable to enforce compliance with the advice of the EU panel."

4. Mechanisms of recourse available in the case of non compliance exist but are weak and in some cases fail to comply with the Safe Harbour Principles.

5. "...given that up to 30 per cent of the companies that subscribe to the Safe Harbour Principles do so to import human resources data clear guidance is needed as to whether the FTC is competent to enforce the Principles in this area is needed."

Not exactly a ringing endorsement then.

No comments: