Safe Harbor: A Failed Attempt at Self-Regulation

In response to the Directive on Personal Data Protection that went into effect in Europe in 1998, the United States attempted to draft some sort of self-regulatory initiative to promote the uniform practice of privacy protection in online commerce and communication. Safe Harbor was the United States' response to the need for across-the-board online privacy control, and the program failed for many reasons, the biggest of which are outlined below.

The Premise

Safe Harbor member sites were required to follow the following seven terms to ensure data integrity and proper use:

1. Notifying individuals before collecting any kind of personal information on their websites
2. Allowing users to opt out of sending personal information to the website or having such information collected by the website in the form of cookies
3. Notifying users when information they submit will be forwarded on to a third party and allowing them to opt out of sending this information to said third party
4. Taking reasonable measures to ensure the security of information provided to the website by the users
5. Maintaining data integrity by using only the data collected that relates specifically to the website's stated purpose
6. Allowing individuals access to the information held by the website about them and allowing them to change and update this information as necessary
7. Maintaining the resources to investigate users' claims of failure to meet any of the above six terms and providing the means to rectify these situations.

These terms are problematic in several ways. First, there are relatively few ways the common internet user can successfully claim that a company has distributed his or her information to a third party without consent, particularly if the person has submitted information to multiple "secure" sites. Knowing which one has breached Safe Harbor's principles is difficult, and obtaining recompense even more so. Additionally, the term "reasonable measure" of security is open to wide and varied interpretation, from weak encryption to password-protected databases to stronger encryption methods and trusted third-party sites. Finally, websites in violation of Safe Harbor's principles have no further police than themselves, which is not a strong enough method of enforcement.

For these reasons in particular, the EU did not accept the United States' Safe Harbor proposal, and there is as yet no existing bridge between the privacy protection policies of Europe and the United States.

Membership Requirements

For a website or company to join Safe Harbor's ranks and be an approved, "safe" member, it had to provide certain information to Safe Harbor's database. However, the information requested was extremely limited. To join Safe Harbor, a company needed only provide:

• Its web address
• The date when it would begin implementing Safe Harbor's principles
• A contact person
• The name of the statutory body that governed the website
• The names of any privacy programs to which the site already belonged
• A method of verification
• An acceptable third party to investigate unsolved complaints, should any arise.

The ease with which this information could be provided to Safe Harbor without the site actually implementing any real privacy policy again caused unease among the EU, who worried that sites would reference one another as a "third party," allowing infringements of the Safe Harbor principles to go largely unpunished.

Finally, the Safe Harbor proposal would have failed for a reason common to many attempts at legislating online privacy do: there are little to no precedents for legal action against those sites infringing upon personal privacy. Again, individual lawsuits take years to pile up and receive recompense, and there is no legislative body acting as a constant watchdog over the thousands and thousands of commercial internet sites. Some further solution is needed in the legislative realm, but no one has yet constructed it.