Commerce and International Privacy Activities: Findings
Report home | Read the report (PDF) | Previous section | Next section
The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.
The Department of Commerce is co-chair of Subcommittee on Privacy and Internet Policy established by the Obama Administration in late 2010. The other co-chair is the Department of Justice. Given the Commerce Department’s past deficiencies and the Department of Justice’s role as a law enforcement agency, this leaves the leadership of the Subcommittee on Privacy and Internet Policy without a strong voice for consumer privacy interests.
There is no evidence that the Department of Commerce has conducted any type of audit or significant review of the Safe Harbor Framework since the program began in 2000. If there has been an audit or review, it has not been made public in any meaningful way.
Any substantive shortcomings of the Safe Harbor Framework are the joint responsibility of the Department of Commerce and the European Union and as such are beyond the scope of this report. The European Commission ordered two studies of Safe Harbor, but took no significant action based on the consistent and critical findings of the studies. A third and more recent study confirmed that serious problems continue to exist with Safe Harbor compliance by US organizations. It is apparent from these studies that the Department of Commerce has not done enough to fully carry out its Safe Harbor responsibilities.
The Department of Commerce’s failure to demand compliance with Safe Harbor requirements has so undermined the value of the program that some European data protection authorities are no longer willing to rely on a participating organization’s self-certification as reflected on the Department of Commerce’s Safe Harbor website.
The Department of Commerce’s international privacy activities since 1980 have been mostly designed to advance the interests of the American business community. Consumers in the United States and elsewhere cannot reasonably expect the Department of Commerce to pay much, if any, attention to their privacy interests.
Regarding the current position of the Department of Commerce on the newly formed Subcommittee on Privacy and Internet Policy, given the Commerce Department’s past deficiencies and the Department of Justice’s role as a law enforcement agency, this leaves the leadership of the Subcommittee on Privacy and Internet Policy without a strong voice for consumer privacy interests.
Roadmap: The US Department of Commerce and International Privacy Activities – Indifference and Neglect: Findings