Moreover, hundreds of US companies displayed the Safe Harbor seal on their website, while they were not even registered. The report covers a long list of mistakes, abuse, carelessness and downright fraud.
The bottom line, according to Galexia: "Until the Safe Harbor is reviewed and improved, consumers and business should approach all claims made regarding the Safe Harbor with great care, and undertake their own investigations before providing any personal information to US organisations."
That was in 2008. Since then, not much has changed. Last year the U.S. Federal Trade Commission (FTC) sued six companies for false Safe Harbor claims. These cases were all quickly settled. At the end of 2009 there were renewed talks between the EU and the US
But the chaos and fraud continues. In July of this year Galexia director Chris Connolly presented the results of a follow-up study. 2,170 US companies now claim to have the Safe Harbor certification, but 388 of them were not even registered with the Department of Commerce. There are 181 companies still on the list with certificates that have expired. As many as 940 companies make no effort to inform about how they implement and enforce the Safe Harbor principles, while 314 companies provide a dispute resolution scheme that costs between $2,000 and $4,000 - a cost that is against the principles.
The final report was due to be published in August, but is hasn't come out. The only details available come from the data protection agency of the German state of Schleswig-Holstein, which reported on a presentation made by Connolly. "These numbers come from the presentation that Mr. Connolly did in July in Cambridge. The report was to be released in August, but since then we haven't heard from him," said a spokesman for the data protection agency.
Connolly hasn't returned numerous calls and emails. A spokesman for Galexia maintains that he is "very busy". The spokesman does however provide a cryptic explanation why the report has not yet been published. "The results are quite controversial. Some parties were not too happy." There's no confirmation that the report will be published at all.
Safe Harbor bankrupt
"If you read the findings and conclusions, I'm a little bit shocked. This is pretty severe. In the past 10 years, very little seems to have changed," says Leo van der Wees, scholar at the Tilburg Institute for Law, Technology and Society at the University of Tilburg.
"All the more reason to say: Safe Harbor is nice and all, but we Europeans won't come back until it is properly regulated. And if you are contracting an American company claiming it's Safe Harbor certified, do not assume it actually is," warns Van der Wees.
"I'm afraid that the Safe Harbor has very little value anymore," says Theo Bosboom, IT lawyer with Dirkzager Lawyers. "The idea itself was not so bad, but if there is no oversight, and every company can claim certification without suffering any consequences if they are wrong or fraudulent. The seal is no longer reliable. You can see that this has already happened."
So Europeans had better keep their data in Europe? Certainly, advises Bosboom. "When companies ask me, 'Is this an issue?' I say yes, definitely. If alternative companies offer the guarantee that data stays within the European Union, that is without a doubt the best choice, legally."
Clarification from the European Commission
Member of the European Parliament Sophie in 't Veld has pledged to raise Parliamentary Questions that demand clarification from the European Commission on the Safe Harbor abuses. "The Commission must tell us what they know about these reports and why nothing was done about it," she said. She also wonders whether the FTC should have stepped in much earlier.
The issue at hand deserves much more attention, says In 't Veld. "It's a typical lack of privacy awareness and priority in the US but also in Europe. The EU and the US have full-blown trade wars about almost anything, but a total lack of control over cross-border processing and storage of private data of hundreds of millions of Europeans can apparently be ignored for years."
In 't Veld has her hopes pinned on a comprehensive Treaty on Transatlantic Data Protection that is currently in the works in Brussels and Washington. The EU itself is overhauling its data protection directive as well. "This is a very good time to strengthen data protection, not only vis-a-vis the government, but also in the private sector. It's long overdue," she said.
European Commissioner Neelie Kroes last week announced new rules concerning data protection and cloud computing. But whether that means the end of the controversial Safe Harbor code is not yet clear.
IT lawyer Bosboom thinks Safe Harbor is ready for oblivion, but he also hopes that Europe and the US will agree to a binding treaty on cross-border data processing. Still, he is skeptical of the chances of such a treaty. "The US and Europe think very differently about privacy. These issues with Safe Harbor demonstrate this clearly once more."
However, some new regulatory framework is needed, and quickly, says Bosboom. "Much of the international business community struggles with this. Current law and legal practice is simply not suited to cloud computing, while there's a huge need for it. Surely something must be done."