Safe Harbor not a secure port when it comes to privacy and data collection and management

August 17, 2014 |

The Safe Harbor Framework between the USA and Europe purporting to ensure that data from the EU regarding its citizen’s personal information would be handled in a manner consistent with EU privacy and data collection regulations has always been a difficult child.  It continues to be a troubled adolescent as evidenced by the complaint filed by the Center for Digital Democracy with the Federal Trade Commission regarding the operation of 30 companies.  In its public announcement CDD Files Complaint on U.S./EU Safe Harbor for Data Privacy at FTC/ Filing Reveals Failure of U.S. Agreement to Protect European Privacy it states:

The key framework that is supposed to protect EU citizens’ privacy when their data is collected by U.S. companies—known as the U.S.-EU Safe Harbor—is failing to provide them the safeguards that were promised, according to a complaint filed today by a leading U.S. consumer privacy group—the Center for Digital Democracy (CDD). The complaint, filed at the U.S. Federal Trade Commission (FTC), details how these companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the Safe Harbor framework. Overseen by the U.S. Department of Commerce, the Safe Harbor is based on a voluntary “self-certification” process, in which companies that promise to provide clear “notice” (of their data-collection practices and data uses) and “choice” (giving consumers the opportunity to “opt out” of practices they did not previously agree to) are then allowed to collect information from European consumers without strictly following the EU’s higher data-protection standards. The EU has itself recognized that the current Safe Harbor regime is inadequate, and has called for its revision.
 
CDD’s filing at the FTC, which is the agency that is supposed to ensure that the Safe Harbor system protects EU consumers’ privacy, calls for an investigation of 30 companies involved in data profiling and online targeting, including data brokers that have compiled vast amounts of sensitive information on individual consumers; data management platforms that allow their corporate clients to analyze their own consumer information and combine it with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles in order to identify the most profitable consumers for personalized advertising.
 
“The U.S. is failing to keep its privacy promise to Europe,” said Jeff Chester, CDD’s executive director. “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny. Companies are relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.”
 
Although the companies cited for FTC investigation differ in their various approaches to data collection for the purposes of profiling and targeting individual consumers, the filing identified five broad concerns that illustrate the inadequacy of the Safe Harbor regime: (1) the failure of Safe Harbor declarations and required privacy policies in particular to provide accurate and meaningful information to EU consumers; (2) an overall lack of candor from the companies about the nature of their data collection apparatus, including their networks of data broker partners and even their corporate affiliations; (3) the general failure to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing; (4) the myth of “anonymity” at a time when marketers—armed with vast amounts of details about consumers’ personal needs and interests, employment and social status, location and income—do not need to know one’s name in order to track and target that particular individual online; and (5) the false claim made by several companies named in the complaint that they act as “data processors” on behalf of others, when in fact they play a central role in bringing the power of their Big Data-driven services to bear on consumer profiling and targeting.
 
As CDD Legal Director Hudson Kingston explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce. Safe Harbor has to be overhauled to make sure it actually works; until that time, it should be suspended. We call on the FTC to investigate and sanction the companies named in our complaint. The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”
 
“The U.S. and EU are currently negotiating a trade agreement that will enable U.S. companies to gather even more data on Europeans,” Chester added. “Reform of Safe Harbor is urgently required before it becomes a ‘Get Out of Protecting Privacy’ card used by American companies under the forthcoming Transatlantic Trade and Investment Partnership (T-TIP).”
 
The 30 companies cited in CDD’s filing include Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn, and Xaxis.

The Draft Complaint (at  118 pages) is found here with a more management executive summary found here.

This must come as a disappointment to both the US Government and the EU given the joint statement of the US and Europe on 26 March 2014 to strengthen the Safe Harbor Framework which was designed to deal with the EU’s real and ongoing concerns.

Australia has a far more robust privacy regulation framework, more consistent with (but not as good as ) the EU than the USA.  The problem in Australia has been weak regulatory action.  Part of that may be explained by the lack of powers available to the Privacy Commissioner.  Now that the Privacy Commissioner has the powers, or at least enough to take real rather than fey enforcement action, the question is whether he uses them to full effect.  Time will only tell.

One Response to “Safe Harbor not a secure port when it comes to privacy and data collection and management”

  1. Safe Harbor not a secure port when it comes to privacy and data collection and management | Australian Law Blogs

    […] Safe Harbor not a secure port when it comes to privacy and data collection and management […]

Leave a Reply





Verified by MonsterInsights