IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006 1 1 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL.

UNICATION, VOL. 49, NO. 1, MARCH 2006

Safe Harbor and Privacy Protection:
A Looming Issue for IT Professionals

MIKE MARKEL


AbstractThe 25 European Union (EU) Member States require that their residents personal information not
be transferred to countries that do not protect that information adequately. In 2000, the EU ruled that the
United States (US), through its voluntary Safe Harbor program, met that requirement. Since that time, however,
the EU has charged that many US companies that claim to be in compliance with Safe Harbor policies are not.
In this article, I report on a study of the privacy-policy statements of 20 randomly selected US companies that
claim to be in compliance. Of the 20, 19 are not in compliance. This study argues that as EU Member States
begin to examine Safe Harbor carefully, they are likely to force US companies to adhere to more stringent
privacy policies. The burden of this adherence will be borne by US IT professionals.


Index TermsData privacy, data protection, Department of Commerce, European Commission, information
technology (IT), international trade, Safe Harbor.
Every week, the news media report another incident
of privacy violation. Sometimes, hackers penetrate
a companys database, grabbing sensitive customer
information. Sometimes, laptops or storage media are
lost or stolen, raising fears that the data might be
compromised. On occasion, the privacy violation is a
new technological innovation or business practice,
such as Googles Gmail, which reads customer emails
and inserts targeted ads.

Privacy is the subject of a decade-long confrontation
between officials of the United States (US) and
the European Union (EU). In 1995, the EU issued
Directive 95/46/EC, commonly called the Data
Protection Directive [1], [2]. The purpose of the
Directive, which went into force in 1998, was to direct
EU Member States to protect the fundamental rights
and freedoms of natural persons, and in particular
their right to privacy with respect to the processing of
personal data [1, p. 2]. The Directive defines PERSONAL
DATA as any information relating to an identified or
identifiable natural person, and PROCESSING as any
operation or any set of operations which is performed
upon personal data . . . [1, p. 8].

Article 25 of the Directive states that the transfer to
a third country of personal data which are
undergoing processing or are intended for processing
after transfer may take place only if . . . the third
country . . . ensures an adequate level of protection
[1, p. 15]. What Article 25 means is that, if the


Manuscript received June 20, 2005; revised August 29, 2005.
The author is with the Department of English,
Boise State University, Boise, ID 83725 USA
(email: mmarkel@boisestate.edu).

IEEE DOI 10.1109/TPC.2006.870462

US companies protection of personal data were
considered inadequate, the 25 EU Member States,
with a population of 450 million, would be required to
prohibit their citizens from doing business with those
US companies. EU citizens would not be permitted
to buy tickets on US airlines, buy services from US
banks and financial-services companies, or buy goods
from US-based e-commerce sites. In short, the EU
Directive posed an enormous bureaucratic threat to
US-EU trade.

This confrontation is based on different views on the
meaning and importance of privacy. The EU views the
privacy of personal information as a fundamental
human right that deserves protection by law. By
contrast, the US sees some kinds of personal
information (such as a persons medical information
or a childs personal information) as deserving of legal
protection but other kinds of personal information
(such as financial information) as commodities that
a person may choose to conceal or reveal. However,
this decade-long struggle between the US and the EU
is not merely an abstract philosophical question; it
affects a growing share of the hundreds of billions of
dollars of annual trade between the US and the EU.

High-level negotiations between US and EU officials
began soon after the EU published its 1995 Directive.
In 2000, the US announced its Safe Harbor Privacy
Policy [3]. Issued by the US Department of Commerce
(DoC), Safe Harbor is a set of privacy guidelines that
individual US companies could pledge to comply
with, guidelines that would satisfy the EU that
those companies provided adequate protection for
personal information transferred from the EU. Safe
Harbor succeeded: the EU ruled that its residents
were entitled to do business with US companies that
pledge to comply with Safe Harbor.

0361-1434/$20.00 2006 IEEE
IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006 2 2 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




However, the EU has never been fully satisfied with
Safe Harbor, for two main reasons. First, Safe Harbor
is voluntary. A company simply decides whether to
declare that it complies with Safe Harbor principles.
As of today, five years after the introduction of Safe
Harbor, fewer than 700 US companies have done
so [4]. Second, Safe Harbor is self-certifying. No US
government agency investigates whether the company
in fact complies with Safe Harbor, or even whether
its privacy-policy statement reflects Safe Harbor
principles. In various official progress reports about
Safe Harbor, EU officials have claimed that the
privacy policies of many US companies that say they
comply with Safe Harbor in fact do not. (For more on
the history of Safe Harbor and the EU Directive, see
[5].)

Why should IT professionals in the US care about
Safe Harbor? Writing in Computerworld, Frank Hayes
argues that although the decision whether to comply
with Safe Harbor will be made at a corporate level,
most of the steps needed to comply will be taken in
the IT department [6]. IT will need to monitor all the
customer informationdigital and analogthat is
disbursed within the company, collate it, and prepare
it to be presented in clear English to enable any
EU resident to see and correct his or her personal
information quickly and easily. Hayes makes one
other point: IT people need to figure out how to do
this now, because when corporate leaders decide to
do it, they will want it done immediately.

In this essay, I investigate the EUs claim by studying
a small set of privacy-policy statements published by
US companies that have declared that they comply
with Safe Harbor. I begin by describing the major
provisions of Safe Harbor and the EUs increasingly
frustrated official comments about Safe Harbor. Then,
I study the set of privacy policies. Finally, I describe
the implications of this conflict for IT professionals in
US companies.

THE MAJOR PROVISIONS OF SAFE HARBOR
The two main documents on the Safe Harbor section
of the US DoC website that describe Safe Harbor are
Safe Harbor Privacy Principles Annex and a set of 15
Frequently Asked Questions. The site also includes
the Safe Harbor List, a list of some 700 companies
that have pledged to comply with the program. This
list is updated periodically, although the site does not
specify the frequency or schedule of the updating.

The Text of the Safe Harbor Documents The core of
the Safe Harbor framework is seven privacy principles
[7]:
(1) Notice: Organizations must notify individuals
about the purposes for which they collect
and use information about them. They must
provide information about how individuals
can contact the organization with any
inquiries or complaints, the types of third
parties to which it discloses the information
and the choices and means the organization
offers for limiting its use and disclosure.
(2) Choice: Organizations must give individuals
the opportunity to choose (opt out) whether
their personal information will be disclosed
to a third party or used for a purpose
incompatible with the purpose for which
it was originally collected or subsequently
authorized by the individual. For sensitive
information, affirmative or explicit (opt in)
choice must be given if the information is to
be disclosed to a third party or used for a
purpose other than its original purpose or
the purpose authorized subsequently by the
individual.
(3) Onward Transfer (Transfers to Third
Parties): To disclose information to a third
party, organizations must apply the notice
and choice principles. The organization must
also ensure that the third party subscribes
to the safe harbor principles or is subject to
the [EU] Directive or another adequacy
finding or enter into a contractual agreement
with the third party requiring that the third
party provide at least the same level of privacy
protection as is required by the relevant
principles.
(4) Access: Individuals must have access to
personal information about them that an
organization holds and be able to correct,
amend, or delete that information where
it is inaccurate, except where the burden
or expense of providing access would
be disproportionate to the risks to the
individuals privacy in the case in question, or
where the rights of persons other than the
individual would be violated.
(5) Security: Organizations must take
reasonable precautions to protect personal
information from loss, misuse and
unauthorized access, disclosure, alteration
and destruction.
(6) Data integrity: Personal information must
be relevant for the purposes for which it
is to be used. An organization should take
reasonable steps to ensure that data is reliable
for its intended use, accurate, complete, and
current.
(7) Enforcement: In order to ensure compliance
with the safe harbor principles, there must
be (a) readily available and affordable
independent recourse mechanisms so that
each individuals complaints and disputes can
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 3 3 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




be investigated and resolved and damages
awarded where the applicable law or private
sector initiatives so provide; (b) procedures for
verifying that the commitments companies
make to adhere to the safe harbor principles
have been implemented; and (c) obligations to
remedy problems arising out of a failure to
comply with the principles. Sanctions must
be sufficiently rigorous to ensure compliance
by the organization. Organizations that fail to
provide annual self certification letters will
no longer appear in the list of participants
and safe harbor benefits will no longer be
assured.
This and other documents on the site explain other
provisions of Safe Harbor, four of which are important
to this study:
A companys request to be put on the Safe
Harbor list, and its appearance on this list
pursuant to that request, constitute a
representation that it adheres to a privacy policy
that meets the Safe Harbor privacy principles
[7].
Companies must state in their relevant
published privacy policy statements that they
adhere to the Safe Harbor Principles, the
privacy-policy statements must be clear, concise
and easy to understand, and the company
must provide an accurate and publicly available
location for their applicable privacy statement
[8].
Each company is required to appoint a contact
point [a person] for the handling of questions,
complaints, access requests, and any other
issues arising under the Safe Harbor [8].
For resolution and enforcement in cases of
disputes between individuals and companies,
companies may pledge to accept the ruling of
the relevant EU data-privacy officials or accept
the ruling of a private US dispute-resolution
organization. Helpful Hints Prior to
Self-Certifying to the Safe Harbor [8] lists
organizations that companies might consider
enlisting, including BBB [Better Business
Bureau] OnLine, TRUSTe, AICPA [American
Institute of Certified Public Accountants],
WebTrust, the Direct Marketing Association, the
Entertainment Software Rating Board, JAMS
[Judicial Arbitration and Mediation Services],
and the American Arbitration Association.
More informative than the texts of the Safe Harbor
documents, however, are their subtexts.


The Subtext of the Safe Harbor Documents The
rhetoric of the Safe Harbor documents suggests that
the US DoC views the EU Directive as unreasonable,
and that US companies should do as little as possible
to satisfy the letter of the Directive.

This view is apparent in the Safe Harbor Workbook,
which presents the background of the EU Directive
and of Safe Harbor. In explaining the US approach to
privacy, the Workbook describes privacy protection
not as ethical practice but as good business:
In the United States, the importance of protecting
the privacy of individuals personal information
is a priority for the federal government and
consumers. Consumers repeatedly cite fears
that their personal information will be misused
as a reason for not doing business online.
In this way, moves to bolster on-line privacy
protect consumer interests and fuel the
broader growth of on-line communications,
innovation, and business. Self-regulatory
initiatives are an effective approach to putting
meaningful privacy protections in place. In
certain highly sensitive areas, however, legislative
solutions are appropriate. These sensitive areas
include financial and medical records, genetic
information, Social Security numbers, and
information involving children. [9]
Notice that although the first sentence of
this statement refers to privacy protection
for individuals, in the next two sentences
individuals become consumers. Sentence four
claimscounterintuitively, in my view, and without
explanation or evidencethat self-regulation is
effective. The failure to argue this point is puzzling,
considering that the occasion for devising Safe
Harbor in the first place is that the EU believes that
self-regulation is ineffective.

This US pro-business stance is visible in every
reference to the EU Directive. For example, the Safe
Harbor Overview states that
The safe harborapproved by the EU in 2000is
an important way for U.S. companies to avoid
experiencing interruptions in their business
dealings with the EU or facing prosecution by
European authorities under European privacy
laws. Certifying to the safe harbor will assure
that EU organizations know that your company
provides adequate privacy protection, as defined
by the Directive. [7]

The Safe Harbor Workbook offers this advice on how
to select a dispute-resolution organization:
When evaluating a third-party service, keep your
own business processes in mind. Make sure that
the services offered provide your customers the
assurance that they seek and your organization
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 4 4 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




the support it needs without impeding your
regular operations. [9]
The second sentence in this passage is quite
revealing, in two ways. First, it uses the word
assurance in a misleading way. Throughout the Safe
Harbor documents, assure and ensure are used
interchangeable, as if to assure someone that their
privacy will be protected is the same as to ensure that
their privacy will be protected. This is not a quibble
about usage, because the use of assurance in this
passage enables readers to infer that the real purpose
of retaining the dispute-resolution service is to appear
to satisfy the customers concerns, rather than to
make sure the problem is solved by keeping the
individuals information private. Second, the advice
to make sure the dispute-resolution service does not
impede your regular operations enables readers to
draw the unhappy inference that the company will
not experience any added burdens, even at the start.
Wouldnt it be more reasonable to assume that doing
things differently might indeed require impeding your
regular operations to some extent, at least in the
short run?

There is still one more dubious passage. Earlier I
quoted the section from the Safe Harbor Workbook
stipulating that a companys request to be included
on the Safe Harbor list constitutes a representation
that it adheres to Safe Harbor. The following passage
appears in the introduction to the Safe Harbor List:
In maintaining the list, the Department of
Commerce does not assess and makes no
representation as to the adequacy of any
organizations privacy policy or its adherence
to that policy. Furthermore, the Department of
Commerce does not guarantee the accuracy of
the list and assumes no liability for the erroneous
inclusion, misidentification, omission, or deletion
of any organization, or any other action related to
the maintenance of the list. [4]
So much for assurances.

This grudging approach to Safe Harbor dates to the
programs planning stages. When David L. Aaron,
Undersecretary of Commerce for International
Trade, circulated an initial draft of Safe Harbor on
4 November 1998, he addressed his letter Dear
Industry Representatives. The letter includes this
passage:
Please note that these principles are designed
to facilitate a bilateral understanding between
the US and European Community and thus to
enhance commerce between the US and the
European Community. They are not intended
to govern or affect US privacy regimes, which
are being addressed by other government and
private sector efforts. Adoption of the principles
is voluntary and their use is intended solely by
US organizations receiving personal data from
the European Union for the purpose of qualifying
for the safe harbor. [10]
Many industry representatives did respond to
Ambassador Aarons call for comments, presenting
technical arguments for revising certain aspects of
the Safe Harbor draft. Also responding were many
privacy and information-policy consultants, among
them Robert Gillman. On 12 November 1998, Gillman
wrote, in part:
The salutation of Ambassador Aarons letter is
telling. It says Dear Industry Representative.
The letter is clearly not addressed to organizations
that represent consumers, privacy advocates,
Internet users, or ordinary citizens. Any observer
of the process for soliciting comments could easily
conclude that the Department is only interested
in the views of carefully selected members of the
American business community and that it has no
particular interest in the views of other parts of
the business community or any other segment of
American society. [11]
Gillman went on to summarize his argument against
the Safe Harbor draft:
The principles of fair information practices were
largely invented here in the United States, and
the federal government has operated successfully
under them for almost 25 years. Businesses in
Europe, including many subsidiaries of American
corporations, function successfully under data
protection regimes. The goal should be finding
ways to that we can address data protection here
in a practical manner rather than to seek broad
exemption from basic principles. [11]


EU ASSESSMENT OF SAFE HARBOR
The EUs growing frustration with Safe Harbor is
apparent in three major documents published over
the last five years: the approval of Safe Harbor
(2000); a working paper assessing Safe Harbors
implementation (2002); and its formal assessment of
its implementation (2004).


2000 Approval by EU On 26 July 2000, the EU
ruled that Safe Harbor constitutes adequate
protection, and therefore that the data flow of
personal information from the EU to US companies
would not be interrupted [12]. The EU decision was
subject to several expected qualifiers:
that the organization receiving the data has
unambiguously and publicly disclosed its
commitment to comply with the Principles
implemented in accordance with the FAQs;
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 5 5 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




that the organization is subject to the statutory
powers of a government body in the United States
. . . which is empowered to investigate complaints
and to obtain relief against unfair or deceptive
practices as well as redress for individuals,
irrespective of their country of residence or
nationality, in case of noncompliance with the
Principles . . .;
that the EU could review its decision in light of
future developments that cause it to question
whether Safe Harbor is achieving its ends;
that individual EU Member States could stop the
flow of personal information to US signatories
to Safe Harbor if they concluded that those
companies were not in compliance with Safe
Harbor.
The tone of the letter from the chief EU official, John
F. Mogg, to the DoC official is diplomatic and cordial,
as this excerpt suggests:
Our dialogue has proved extremely useful in
clarifying rules and practices on both sides,
identifying much common ground and exchanging
information on procedures. The continuation of
this dialogue would seem desirable, on a periodic
basis and/or when a particular problem makes
it necessary. This will allow us to continue to
exchange information on relevant developments
concerning the implementation of Articles 25 and
26 and developments in the United States, in
line with our general commitment to regulatory
co-operation in the context of the TransAtlantic
Economic Partnership [13].


2002 Working Paper In a progress report dated
13 February 2002 [14], the EU registered two main
concerns about the implementation of Safe Harbor:
A substantial number of organizations that
have self-certified adherence to the Safe Harbour
do not seem to be observing the expected
degree of transparency as regards their overall
commitment or as regards the contents of their
privacy policies. Transparency is a vital feature
in self-regulatory systems and it is necessary
that organizations improve their practices in this
regard [14, p. 2]. The document notes that fewer
than half the companies post privacy policies
that reflect the seven principles of Safe Harbor.
A wide array of sanctions to enforce Safe
Harbour rules exist under dispute resolution
mechanisms. But not all dispute resolution


TABLE I
MAJOR EU CONCERNS IN THE 2004 ASSESSMENT OF SAFE HARBOR

MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 6 6 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




mechanisms have indicated publicly their
intention to enforce Safe Harbour rules and not
all have in place privacy practices applicable
to themselves that are in conformity with the
Principles, as required by Safe Harbour rules
[14, p. 2].
Calling this situation a case of teething problems
[14, p. 3], the 2002 document reiterates that the
EU will continue to cooperate with the Department
of Commerce in encouraging US organizations to
join and to insist on a rigorous respect for the
transparency requirements of the Safe Harbour [14,
p. 3]. It is only through the vigilance and enforcement
action of the relevant public authorities in the US,
the EU document states, that the arrangement will
remain credible and serve its purpose as a guarantee
of adequate protection for personal data transferred
from the EU to the US [14, p. 11].
2004 Three-Year Assessment The three-year
assessment [15], published in 2004, shows increasing
frustration with the DoCs oversight of Safe Harbor.
Table I presents the major sources of unhappiness
expressed by the EU.


The 2004 assessment also includes a set of
recommendations to the DoC:
Respect the Safe Harbor principles.
Be more proactive in publicizing Safe Harbor
and ensuring that companies that say they
adhere to it in fact do.
Be more proactive in launching investigations
where questions exist regarding Safe Harbour
compliance.
Provide more specific guidance about Safe
Harbor, including guidelines or best practices on

TABLE II
CHARACTERISTICS STUDIED IN PRIVACY POLICIES ON WEBSITES OF SELECTED COMPANIES
THAT CLAIM COMPLIANCE WITH SAFE HARBOR

MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 7 7 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




how to draft privacy policies that comply with
Safe Harbor.
In short, the testy 2004 assessment suggests that
the EU privacy officials are quite frustrated with
Safe Harbor. The central problem is that the US is
doing exactly what it said it was going to do: create a
voluntary, self-certifying set of principles but take no
affirmative action unless it received complaints.

AN ANALYSIS OF SELECTED SAFE-HARBOR
PRIVACY-POLICY STATEMENTS
On 26 and 27 May 2005, I investigated the
privacy-policy statements of selected companies that
are listed on the DoC Safe Harbor list. I used the
following methods:
(1) Using Research Randomizer, I generated a
random list of ten companies on the Safe
Harbor list [16]. I chose a small number to
determine whether the EU claims about lack
of compliance were credible.
(2) I studied the privacy-policy statement on each
companys site, looking for the characteristics
noted in Table II.
(3) Using Research Randomizer [16], I generated
a random list of an additional ten companies
from the Safe Harbor list and studied their
privacy policies. I selected these additional ten
companies because my first set of ten did not
yield any that were in compliance.
(4) I emailed the privacy official or body listed
in each of the twenty sites, with this body
text: I am a university professor studying
the Department of Commerces Safe Harbor
privacy program. Would you please tell me
whether you consider your company to be in
compliance with the Safe Harbor program?
Thank you. If no email link was listed, I


TABLE III
NONCOMPLIANCE WITH SAFE HARBOR: HALF OF THE FIRST SET OF TEN COMPANIES

MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 8 8 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




wrote a business letter. My purpose was
to determine whether the company had in
place an official responsible for responding
to questions about its privacy policy, as
stipulated in the Safe Harbor documents.


Tables III and IV present my findings for the first
randomly selected set of ten companies on the Safe
Harbor list. For each company, I present the major
areas of noncompliance, using the numbering system
presented in Table II. That is, if the company fails to
present a link to its privacy-policy statement on its
home page, I number that area of noncompliance as
1.

Because the results from my study of ten randomly
selected companies showed an overwhelming lack of
complianceby companies that stated they are in
complianceI decided to randomly select and study
another set of ten companies. I present the results
in Table V.

CONCLUSION
Although these results on their face present an
embarrassing picture of Safe Harbor compliance by
companies that claim to be in compliance, this study
is subject to several limitations.

The most obvious limitation is that it examines a
rhetorical and legal issue that is two removes away
from the truly important question of how companies
protect their customers personal information. That
is, I looked only at how these 20 companies described
their privacy policies. I did not gain access to any

TABLE IV
NONCOMPLIANCE WITH SAFE HARBOR: REMAINING HALF OF THE FIRST SET OF TEN COMPANIES

MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 9 9 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




of these companies private operations to determine
how companies in fact treat personal information.
The overarching objective in examining privacy-policy
statements is not, of course, to study the statements,
or even company policies. It is to study the companys
practices. Unfortunately, it is impossible to examine
either a companys policies or its practices, except
in isolated instances in which a company employee
blows the whistle or a plaintiff takes legal action in
a court.


TABLE V
NONCOMPLIANCE WITH SAFE HARBOR: SECOND SET OF TEN COMPANIES

MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 10 1
0
IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006




Beyond this obvious limitation lies another. I looked at
only 20 sites, a number too small to allow statistically
significant conclusions. In addition, because the
privacy-policy statements consist of words, not of
precise quantitative data, I had to interpret the often
imprecise passages that I record in Tables III, IV, and
V. Although I tried to be fair-minded in interpreting
these passages, another reader certainly might differ
with some of my interpretations. (For an earlier
study of the imprecise writing in many privacy-policy
statements, see [17].)

Despite these limitations, one conclusion seems
to me to be incontestable: of the 20 privacy-policy
statements that I studied, 19 are literally
noncompliant. By this I mean that they violate, in
at least one way, the EUs stipulation that such
statements be clearly and simply written and that
they address certain issues. In almost all 19 cases,
they violate this stipulation in more than one way.

To be precise, we can say that it is logically possible
that all 20 companies have privacy policies in
place that protect customers personal information.
And we can say that it is logically possible that all
20 companies follow practices that protect their
customers personal information, as required by Safe
Harbor.

However, these possibilities seem unlikely. If 19 of
the 20 companies are unable or unwilling to publish
compliant statements, I think it improbable that
many of these companies achieve the more difficult
task of creating compliant policies, and even more
improbable that they achieve the considerably more
difficult task of acting in compliance with Safe Harbor.

My guess is that, in all likelihood, the EU 2004
assessment understates the noncompliance and that
a healthy majority of US companies that claim they
act in compliance with Safe Harbor do not.

Why should IT professionals follow legal developments
in the Safe Harbor story? I think there are two
reasons.

First, Americans are concerned about data privacy.
Perkins and Markel review the data that suggest that
public skepticism about privacy is a significant drag
on e-commerce [5]. And as more and more privacy
breaches hit prominent US companies, the American
public is likely to become increasingly concerned.
At this point, the US public only dimly understands
the meaning of privacy-policy statements. According
to a recent report from the Annenberg Public Policy
Center, three quarters of the US internet-using public
believes that if a company has a privacy policy, it
means the site will not share my information with
other websites and companies [18, p. 30]. At some
point, the US public will begin to take the issue more
seriously, forcing companies to implement stricter
privacy policies to remain competitive.

Second, European data-protection officials are likely
to become more aggressive in examining US
companies statements, policies, and practices. Mark
Schreiber, an attorney in the US, writes that some
data transfers from the EU to US companies are
already being delayed or denied by EU data-protection
authorities [19]. Several EU Member States, including
Holland, Austria, Portugal, Sweden, and Italy, have
recently authorized new sanctions, including prison
terms, for violation of their privacy laws.

It is possible, of course, that EU companies will not
take significant, widespread legal action against US
companies or that they will rarely win. It is possible
that Safe Harbor will remain what the DoC has always
said it would be: a voluntary, self-certifying program.
After all, the DoC has never tried to hide the fact that
it sees Safe Harbor only as a move to placate EU
data-protection authorities, and it has steadfastly
and consistently rejected EU requests that the DoC
monitor the program and take legal action against US
companies that claim they comply but do not.

It would be unwise, however, for US IT professionals to
trust that the current lax data-protection environment
will persist. When corporate management decides
to implement a fully transparent privacy policyin
response to a sincere belief that it is the right
thing to do, or to competitive pressures, or to legal
actions taken by EU data-protection officialsIT
professionals will have to act quickly. The IT
professional who already understands the EU
data-privacy requirementsas well as the gaps
between the companys privacy statement, policy, and
practiceswill most likely succeed in the enormous
task of implementing a system that truly protects
customer data.


REFERENCES


[1] European Union. (1995, Oct.) Directive 95/46/EC of the European Parliament. [Online]. Available:
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
[2] European Union. (1995, Oct.) Directive 95/46/EC of the European Parliament. [Online]. Available:
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf
[3] US Department of Commerce. (2000) Safe Harbor Agreement. [Online]. Available: http://www.export.gov/safe-
harbor
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 11 1
1
IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006





[4] US Department of Commerce. (2000) Safe Harbor List. [Online]. Available: http://web.ita.doc.gov/safe-
harbor/shlist.nsf/webPages/safe+harbor+list
[5] E. Perkins and M. Markel, Multinational data-privacy laws: An introduction for IT managers, IEEE T rans.
Prof. Commun., vol. 47, no. 2, pp. 8594, Jun. 2004.
[6] F. Hayes. (2000, Nov.) Beyond Safe Harbor. Computerworld [Online]. Available: http://www.computer-
world.com/securitytopics/security/story/0,10801,53350,00.html
[7] US Department of Commerce. (2000) Safe Harbor Overview. [Online]. Available: http://www.export.gov/safe-
harbor/sh_overview.html
[8] US Department of Commerce. (2000) Helpful Hints Prior to Self-Certifying to the Safe Harbor. [Online].
Available: http://www.export.gov/safeharbor/helpful_hints.html
[9] US Department of Commerce. (2000) Safe Harbor Workbook. [Online]. Available: http://www.export.gov/safe-
harbor/sh_workbook.html
[10] D. L. Aaron. (1998, Nov.) Presentation to International Trade Administration Electronic Commerce Task Force.
[Online]. Available: http://www.ita.doc.gov/td/ecom/aaron114.html
[11] R. Gillman. (1998, Nov.) Comments of Robert Gellman on the Department of Commerce International Safe
Harbor Privacy Principles. [Online]. Available: http://ita.doc.gov/td/ecom/comabc.htm
[12] European Commission. (2000) Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the
European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbor Privacy
Principles and Related Frequently Asked Questions Issued by the US Department of Commerce. [Online].
Available: http://europa.eu.int/eurlex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32 000D0520:EN:HTML
[13] J. F. Mogg. (2000, Jul.) Letter to Mr. Robert LaRussa. [Online]. Available: http://www.export.gov/safe-
harbor/EUletter27JulyHeader.htm
[14] European Commission. (2002) Commission Staff Working Paper: The Application of Commission Decision
520/2000/EC of 26 July 2000 Pursuant to Directive 95/46 of the European Parliament and of the
Council on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy Principles and
Related Frequently Asked Questions Issued by the US Department of Commerce. [Online]. Available:
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/sec-2002-196/sec-2002-196_en.pdf
[15] European Commission. (2004) Commission Staff Working Document: The Implementation of Commission
Decision 520/2000/EC on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy
Principles and Related Frequently Asked Questions Issued by the US Department of Commerce. [Online].
Available: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/sec-2004-1323_en.pdf
[16] G. C. Urbaniak and S. Plous. (2005) Research Randomizer. [Online]. Available: http://www.random-
izer.org/form.htm
[17] M. Markel, The rhetoric of misdirection in corporate privacy-policy statements, Tech. Commun. Quart., vol.
14, no. 2, pp. 197214, 2005.
[18] J. Turow, L. Feldman, and K. Meltzer. (2005, Jun.) Open to Exploitation: American Shoppers Online and
Offline: A Report From the Annenberg Public Policy Center of the University of Pennsylvania. [Online]. Available:
http://www.annenbergpublicpolicycenter.org/04_info_society/Turow_APPC_Report_WEB_FINAL.pdf
[19] M. E. Schreiber. (2001) New Privacy Rules and H.R. Compliance. Palmer & Dodge LLP Web site. [Online].
Available: http://www.palmerdodge.com/dspSingleArticle.cfm?ArticleID=364




Mike Markel is Director of Technical Communication at Boise State University, Boise, ID. His latest book is Technical
Communication (Bedford/St. Martins, 7th edit., 2004). From 1994 to 1996, he was the Editor of IEEE TRANSACTIONS ON
PROFESSIONAL COMMUNICATION.