The Safe Harbor agreement between the US and European Union countries has come under sustained fire in the wake of the Edward Snowden/NSA revelations, with some in the European Commission, most notably Digital Agenda Commissioner Neelie Kroes and former Justice Commissioner Viviane Reding, openly questioning whether it is indeed safe.
The Safe Harbor rules are intended to allow European data to be transferred outside of the EU and reside on US servers so long as the same strong data protection and privacy rules are adhered to.
But the scheme is self-certifying and as such critics argues it is open to abuse. The likes of Kroes and Reding, who want to introduce draconian new data protection regulations across the EU, have demanded that the US government falls in line with their plans, going so far as to suggest that Safe Harbor may need to be scrapped completely.
Now the CDD has stepped up as an unexpected state-side ally to the cause, calling on the Federal Trade Commission (FTC), which is responsible for enforcing Safe Harbor provisions, to investigate 30 firms that it alleges are or have been in breach of the rules.
According to the CDD’s accusations, the firms in question “create detailed digital dossiers” of EU residents and combine public records with online tracking technologies, mobile tracking and other sources.
The CDD claims its filing provides:
factual information and legal analysis on probable violations of Safe Harbor commitments that materially mislead EU consumers.
- No Euro-vision as UK defies Brussels over anti-Safe Harbor demands (diginomica.com)
- Viviane Reding's 'play by my rules' warning to the US tech industry (diginomica.com)
- Europe's Thanksgiving gift to the US - a list of demands (diginomica.com)
The CDD filing is built around five main points of concern which the Center describes as:
- the failure of Safe Harbor declarations and required privacy policies in particular to provide accurate and meaningful information to EU consumers
- general lack of candor from the companies about the nature of their data collection apparatus, including their networks of data broker partners and even their corporate affiliations
- general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing
- perpetuating a myth of “anonymity” at a time when marketers—armed with vast amounts of details about consumers’ personal needs and interests, employment and social status, location and income—do not need to know one’s name in order to track and target that particular individual online
- claims made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in bringing the power of their Big Data-driven services to bear on consumer profiling and targeting.
The CDD is calling on the US and EU to suspend the Safe Harbor program pending an investigation by the FTC on the basis that:
The commercial surveillance of EU consumers by US companies, without consumer awareness or meaningful consent, contradicts the fundamental rights of EU citizens and European data protection law.
The Center wants the FTC to focus on three things:
- Whether companies are misstating their actual purposes and practices of data collection and use?
- Whether companies are misrepresenting legal facts of importance to EU consumers?
- Where companies have merged with and acquired other companies, expanded their data collection and profiling capabilities, changed their entire corporate structure and business plan, have they updated their Safe Harbor disclosures or made clear to consumers their ongoing duties to protect personal information?
The 30 companies cited by CDD include Adobe, Salesforce.com, Marketo, Oracle-acquired BlueKai and AOL. While most of the names on the list have yet to comment, Adobe and Marketo have both stated they do not believe the CDD allegations have merit, while Salesforce.com said in a statement:
At Salesforce.com, nothing is more important than the trust of our customers. We abide by the EU/US and Swiss/US Safe Harbor principles and certify to these principles with the US Department of Commerce.
The CDD also criticized the FTC and the US Department of Commerce for general lack of enforcement. The FTC settled Safe Harbor complaints with 14 companies in June.
Jeff Chester, CDD’s executive director, said:
The US is failing to keep its privacy promise to Europe. Many companies are relying on exceedingly brief, vague or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on them so they can be profiled and targeted online.
Instead of ensuring that the US lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny.
The 30 companies cited in CDD’s filing are: Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis.
The CDD complaint and a breakdown of the allegations against specific companies can be found here.
Well it'll play well in the corridors of power in Brussels. Cue more faux outrage and general high-horsery from the usual suspects.
It's increasingly clear though that a serious re-evaluation of the Safe Harbor provisions is needed, if only to put an end to such headline-grabbing allegations.
The cynical climate of fear, uncertainly and doubt being cultivated by certain parties to pursue their own misguided political agendas is unfortunately gaining too much traction.
A general clearing of the air would be in the best interests of both the US provider community and the European customer.
Disclosure: at time of writing, Oracle and Salesforce.com are premium partners of diginomica and Marketo is a partner.