The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.

1.         Self-certified companies should publicly disclose their privacy policies.

This is a foundational requirement for any Trustmark providing certification services around the US-EU Safe Harbor Framework. As a consequence, this recommendation is already implemented for those companies to participate in a Trustmark’s certification program. While Trustmark program participation is not required under the Framework, this first recommendation can be endorsed by the Department of Commerce due to the existence of such certification marks.

2.         Privacy policies of self-certified companies websites should always include a link to the Department of Commerce safe harbor website which lists all the “current” members of the scheme.

Similarly to the requirement around a link to privacy policy, certification programs also require placement of a “seal” or similar linkage which an individual can use to validate whether or not the certification is up-to-date. Fundamentally, this is to allow the consumer to determine whether or not the company’s current in their participation without having to go to multiple different sites. Consequently, this recommendation is very easy to implement (if not already implemented in many instances).

3.         Self-certified companies should publish privacy conditions of any contracts they conclude the subcontractors, such as cloud computing services.

Due to the very nature of contractual language, implement in this recommendation may not actually provide the individual with any additional awareness as to the types of protections implemented. Further, different relationships with different service providers will require different privacy and security language. However, privacy policies should indicate that any subcontractor or agent is required to process any personal information in conformance with the stated privacy policy. Fortunately, this requirement also exists in at least TRUSTe’s certification criteria. Thus, this recommendation has already been implemented, it least to the extent that TRUSTe’s services are used by participating company.

4.         Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.

Unfortunately this recommendation is unclear. If the commission is requesting that the Department of Commerce maintain a list of every single company in the United States than this is clearly unreasonable request. However, the language of the recommendation seems to indicate more of an interest in maintaining a list of companies that had been participants, but no longer are. This also may be problematic, in that where a participant has been on the safe harbor list and is removed without any indication as to why they are removed, the goodwill of the company may be diluted. Especially considering the other alternatives for “adequacy” which are available to companies, this could well be an unfair perception. For example, where a company decides implement binding corporate rules instead of participate in safe harbor framework, the removal of the company from the safe harbor list should not indicate to the consumer that such company does not protect individuals privacy rights. Implement in this recommendation will require additional discussions between the US and the EU to ensure that negative unintended consequences to good actors are not the result of the implementation.