As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds.
Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s next attack: Now they’re using bikes to film us!” The German minister of consumer affairs, Ilse Aigner, has publicly urged her fellow citizens to follow her example and cancel their Facebook accounts.
Most Americans I know simply shake their heads and grumble about “unhinged eurocrats run amok”. But unfortunately, it isn’t that simple. For better or worse, American companies need to realize that these are genuine concerns by genuine people. And no matter how lackadaisical US consumers may be when it comes to handing out personal information, the reality is that Europeans are not.
“But isn’t that what Safe Harbor is all about?”, one American identity expert (who shall remain nameless) exclaimed recently when I asked him how he thinks the problem should be addressed. True – but apparently, safe harbors in the US are anything but. That at least is what the so-called “Duesseldorf Circle”, a group of data privacy officials from all German states, stated in a report released last April. They accuse US companies of cheating on the agreement which was reached way back in 2000 between the United States and the EU.
This essentially confirms results of a study conducted in 2008 by the Australian consulting firm Galexia, in which they concluded that most companies that purport to be certified members of the Safe Harbour Framework actually aren’t. Their findings are a shock to anyone believing in self-regulation:
- Only 348 of 1,597 enterprises and organizations on the official Safe Harbor List, which is jointly kept by the European Commission and the U.S. Department of Commerce, meet even the most basic requirements. Many do not have a privacy policy, and most fail to comply with Principle 7 of the agreement which stipulates that signees must identify an independent dispute resolution process for consumers.
- 209 organizations selected a dispute resolution provider that was not affordable (including the infamous American Arbitrations Association, AAA, that charged up to $1,200 an hour with a four-hour minimum charge plus a hefty $950 administration fee!).
- 206 companies claimed on their public websites to be members of the Safe Harbor, but aren’t.73 companies falsely claimed to be members of a Privacy Trustmark Scheme such as eTrust, or the BBB Online Privacy program which ceased to operate in June of 2008.
- 20 organizations displayed a fictional Department of Commerce Safe Harbor “seal” on their website.
- 24 claimed to have been certified by the Department of Commerce or the Euroepan Commission, which is obviously impossible: The program is based on self-certification.
Facebook, the article states, is in open breach of German law, while Google introduces the concept of “sensitive personal information” (which implies that some personal data are somehow “insensitive” and therefore free to be put to any use Google might think of). Twitter blandly informs visitors to their website that they “collect and use your information to provide our services and improve them over time”, but fail to mention which information they are referring to and what specifically they do with it, blatantly ignoring the four guiding principles of German privacy laws, namely allocation of purpose, necessity, transparency and minimal disclosure.
While Facebook and Google at least pay lip service to the Safe Harbor Agreement, Twitter hasn’t even bothered to sign, Öko-Test maintains. And anyway, why bother: “These contracts aren’t worth the paper they were signed on or the e-mails they were sent with”, the magazine writes.
Rainer Erd, a well-known expert on privacy and data protection with the law firm Schmalz in Frankfurt/Main, recently weighed in with a comment in the “Sueddeutsche Zeitung” in which he accuses U.S. companies such as Google and Facebook of duping European consumers by making them believe that they follow the provisions of the Safe Harbor Agreement, when actually they routinely store personal data on “secret servers” in the United States.
So why should U.S. companies be worried? After all, German policemen won’t be turning up anytime soon in corporate headquarters in Silicon Valley, and writs issued by German courts aren’t likely to be enforced by authorities on the other side of the Atlantic.
The real cause for concern is the growing uneasiness of European consumers with the high-handed manner with which U.S. companies treat their data. If Google seriously thinks it can make StreetView fly in Germany, they will need to launch a whole-hearted goodwill campaign including ironclad guarantees that they will follow not just the letter but the spirit of local privacy laws. As of even date, there is no sign that this has been really understood, either in Mountain View or in the headquarters of other U.S. companies seeking growth in Europe as the domestic U.S. market continues to sag.
Above all, governments and companies on both sides of the Atlantic need to strengthen and enforce the Safe Harbor Agreement so that it does in fact become a secure port for business – and not another murky swamp into which data disappears.