The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.

1.         Self-certified companies should publicly disclose their privacy policies.

This is a foundational requirement for any Trustmark providing certification services around the US-EU Safe Harbor Framework. As a consequence, this recommendation is already implemented for those companies to participate in a Trustmark’s certification program. While Trustmark program participation is not required under the Framework, this first recommendation can be endorsed by the Department of Commerce due to the existence of such certification marks.

2.         Privacy policies of self-certified companies websites should always include a link to the Department of Commerce safe harbor website which lists all the “current” members of the scheme.

Similarly to the requirement around a link to privacy policy, certification programs also require placement of a “seal” or similar linkage which an individual can use to validate whether or not the certification is up-to-date. Fundamentally, this is to allow the consumer to determine whether or not the company’s current in their participation without having to go to multiple different sites. Consequently, this recommendation is very easy to implement (if not already implemented in many instances).

3.         Self-certified companies should publish privacy conditions of any contracts they conclude the subcontractors, such as cloud computing services.

Due to the very nature of contractual language, implement in this recommendation may not actually provide the individual with any additional awareness as to the types of protections implemented. Further, different relationships with different service providers will require different privacy and security language. However, privacy policies should indicate that any subcontractor or agent is required to process any personal information in conformance with the stated privacy policy. Fortunately, this requirement also exists in at least TRUSTe’s certification criteria. Thus, this recommendation has already been implemented, it least to the extent that TRUSTe’s services are used by participating company.

4.         Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.

Unfortunately this recommendation is unclear. If the commission is requesting that the Department of Commerce maintain a list of every single company in the United States than this is clearly unreasonable request. However, the language of the recommendation seems to indicate more of an interest in maintaining a list of companies that had been participants, but no longer are. This also may be problematic, in that where a participant has been on the safe harbor list and is removed without any indication as to why they are removed, the goodwill of the company may be diluted. Especially considering the other alternatives for “adequacy” which are available to companies, this could well be an unfair perception. For example, where a company decides implement binding corporate rules instead of participate in safe harbor framework, the removal of the company from the safe harbor list should not indicate to the consumer that such company does not protect individuals privacy rights. Implement in this recommendation will require additional discussions between the US and the EU to ensure that negative unintended consequences to good actors are not the result of the implementation.

Tags: EU Safe Harbor, Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Tomaszewski John Tomaszewski

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how…

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists – its data.

John’s expertise in the understanding of a company’s data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.

John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.

Read more about John Tomaszewski
Show more Show less
Related Posts
Out With the Old, In With the New: New GDPR Standard Contractual Clauses
June 10, 2021
Upcoming Seyfarth Webinar: Responding with Strength to the SolarWinds Attack - May 26, 2021
May 12, 2021
CJEU Invalidates EU-US Privacy Shield Framework
July 16, 2020