The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.
1. Self-certified companies should publicly disclose their privacy policies.
This is a foundational requirement for any Trustmark providing certification services around the US-EU Safe Harbor Framework. As a consequence, this recommendation is already implemented for those companies to participate in a Trustmark’s certification program. While Trustmark program participation is not required under the Framework, this first recommendation can be endorsed by the Department of Commerce due to the existence of such certification marks.
2. Privacy policies of self-certified companies websites should always include a link to the Department of Commerce safe harbor website which lists all the “current” members of the scheme.
3. Self-certified companies should publish privacy conditions of any contracts they conclude the subcontractors, such as cloud computing services.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
Unfortunately this recommendation is unclear. If the commission is requesting that the Department of Commerce maintain a list of every single company in the United States than this is clearly unreasonable request. However, the language of the recommendation seems to indicate more of an interest in maintaining a list of companies that had been participants, but no longer are. This also may be problematic, in that where a participant has been on the safe harbor list and is removed without any indication as to why they are removed, the goodwill of the company may be diluted. Especially considering the other alternatives for “adequacy” which are available to companies, this could well be an unfair perception. For example, where a company decides implement binding corporate rules instead of participate in safe harbor framework, the removal of the company from the safe harbor list should not indicate to the consumer that such company does not protect individuals privacy rights. Implement in this recommendation will require additional discussions between the US and the EU to ensure that negative unintended consequences to good actors are not the result of the implementation.