TOC Notes on
Safe Harbors
Case Analysis:

-1- For companies big enough to be targeted by legal ambush marketing, one particularly annoying source of trouble is the self appointed watchdog organization such as Privacy International (aka PI). Compared to a disgruntled customer, a watchdog is generally better financed and run with professional expertise, including on the law and public relations. The exchange of letters orchestrated by Simon Davies, director of PI, is a good example of how difficult it is to deal with such a threat.

Indifference to or underestimation of, the threat is dangerous as the watchdog is intent to track its target as long as it does not become counterproductive. Amazon UK may or may not have been tardy in answering the watchdog. If it did mail a letter on time as claimed, it surely forgot to register it with the post office. By not doing so, it led itself open to PI's claim that its first reaction was a fax received three months later after PI had escalated its attack by involving the UK Data Protection Commissioner.

Denials and rebuttals must be very carefully written for they provide the watchdog with prime fodder for finding new, specific arguments to its claims. In the case at hand Amazon UK probably felt that it had defused the threat by stating:
"certain limited customer information is transferred outside the European Economic Area (specifically the USA) for processing"
"having discussed this issue at length with the Data Protection Commissioner, we are comfortable that our prominent disclosure of these activities ensures that we have obtained specific and informed consent on the part of our customers to this transfer and that our practices are compliant with our obligations under the Data Protection Act".
Unfortunately this translates into:

  • a very direct recognition of the fact on which PI based its claims, ie. the customer information transfers
  • a self-serving opinion by Amazon UK, ie. "we are comfortable", which only adds to the presumption of arrogance from a powerful company
Only the copy of an official opinion by the Data Protection Commissioner or the promise to wait for and abide by, such an opinion would have been a valid rebuttal and their absence is made even more glaring by the admission the Commissioner had already been contacted by Amazon UK.

Whining is to be avoided at all cost. Amazon UK must have believed they were both firm and courteous in writing in a follow up letter:
"your claims that Amazon.co.uk has admitted to violations of the UK Data Protection act continue to reverberate in the press, as these accusations (to my knowledge, unfounded) continued to circulate. Could you provide any substantiation of these claims that we've made such an admission? If not, we'd like to seek retractions from the various media outlets that have repeated this accusation"
For the watchdog, and its sympathetic audience, this provides two welcome confirmations:
  • the attack has reached its goal by hurting the reputation of Amazon UK via the press
  • the legal standing of Amazon UK is so weak that no actual legal action is threatened nor taken
I can only regret that PI did not provide its readers with the final word of this entertaining and educational story. Did the UK Data Protection Commissioner provide an official finding ? Did Amazon UK decide to go to court after all ? Was the story allowed to disappear because PI had reached its goal and any further action would have been counterproductive?

-2- While a play between a watchdog and its target, the case offers a good basis for discussing international data transfers involving customer information.
As shown in chapter II-2 on marketing, the exact status of customer information has been left undecided, neither the unencumbered property of the organization in possession, nor the exclusive property of the customer it describes. It is therefore not surprising that the adhoc positions taken by the United States and Europe have been found different, opt in for Europe and opt out for the US. Since the economy integrates all countries as it becomes more and more global, data transfers are bound to happen between Europe and the US and with them problems too:

  • what is the legal nature of a customer information transfer between two countries?
    Is it an ordinary import/export operation, as for goods or services ?
  • if customer information is a special kind of goods encumbered by legal rights, how should protection-related encumberances be treated ?
  • if protection is weaker in some country, is it possible to maintain a stronger level of protection elsewhere despite international commerce ?
In the case at hand, Europe forbids "data exports" to countries which, like the US, offers what it deems insufficient protection to the consumer, unless specific measures are taken to Europe's satisfaction. This has been a major source of friction between Europe and the US, notably in 1998, and companies must be aware of this issue, especially large international companies like Amazon.

-3- In reviewing the arguments developed by PI, one finds out that one of the most damaging admissions has been made by Amazon.com itself, unbeknownst from Amazon UK. Responding to an inquiry from its own watchdog, Junkbusters Corp, Amazon.com stated:
"we cannot totally remove account information from our system, as it is part of our business transaction records"
While the UK Data Protection Act does not appear to grant consumers a right of deletion over their information:

  • such a right implicitly exists under French law (Loi 2004-80, art 7), requiring customer information not to survive its legitimate use
  • one may well ask for the deletion of all foreign records as a commensurate remedy following an illegal export of the data in the first place
The point is not what exactly would constitute a "deletion". Amazon.com states that a "customer's billing and shipping addresses" will not be deleted from its systems even once goods have been shipped, received and paid for and the time to contest the sales has elapsed. So when applied to data imported from Europe without proper considerations, the data retention policy of Amazon.com falls under the terms of European law. PI lost no time to report this fact to the UK Data Commissioner.
One can appreciate the difficulty for an international corporation to make sure that its declarations, while harmless in the legal context of one country, can undermine the legal position of a subsidiary in another country.

-4- One should not view this case as one of the impredictable and oftentimes petty trade squirmishes which characterize the partnership between Europe and the United States. It illustrates a grave problem.
Recall the case in chapter II-1 about medical records. Our analysis focused on how the multiplicity of participants enabled a complete breakdown of patient record privacy. But, for the source of our information, this case was all about the dangers of outsourcing processing of sensitive data, from the US to Pakistan in the instance. In the absence of a clear principle about whose property profile information is, most countries, the US included, will find their laws threatened by the existence of other countries with a weaker protection.

It is an easy step to combine the two cases. Imagine a large insurance company based in the US, with significant European presence. It may want to centralize some profile data from Europe to the US to optimize marketing worldwide and outsource its data processing from the US to India to maximize profits. Such a phenomenon is called "Onward Transfer". While India is actively seeking the recognition from Europe that it provides strong data protection, managing such a case according to all local laws is a real challenge.

General Comments:

-1- European law, inspired by French law, pays more attention to matters of principle than American law. This tends to decrease the number of applicable statutes, two in the case at hand (European directives 95/46/EC and 2002/58/EC), and to give broader applicability to major choices, such as the opt in method (EU directive 2002/58/EC, art. 13). For an American organization, the priority enjoyed by European law over the laws special to each member of the European Union also makes it easier to deal with all countries as a single market space.

This simplicity has its limits. First, just like US Federal laws may recognize the validity of State laws co-existing on a particular subject, European law does not prevent member states to introduce country-specific, compatible features. Second, contrary to US Federal law which has direct applicability, European laws are enforced through the so-called transposition process, by which each member state adapt its own laws, generating as many separate enactment dates as there are member states, stretching over several years.

-2- The opposition between Europe, more favorable to consumers and stronger on privacy protection, and the United States, more favorable to companies and weaker on privacy protection should not be seen as black and white.
The opt-in choice is mandatory in Europe only for unsollicited communications which use automatic technologies, email included. Marketing messages with current customers are subject to the milder opt-out method and other cases are covered as member states see fit.

We saw in chapter II-2 on marketing that the United States have adopted opt-in methods in special cases, deemed worthy of greater protection:

  • unsollicited communications by fax (TCPA and Junk Fax Prevention Act), taking an "established business relationship" as an implicit opt-in
  • collecting data from children under 13 years (COPPA), the opt-in in this case being the parental consent
Nevertheless Europe judges privacy protection in the United States is not sufficient to warrant free data transfers when such data contains sensitive information.

-3- In 2000, to avert a trade war and after considerable friction, the United States adopted and the European Commission recognized a mechanism, called Safe Harbor and administered by the Department of Commerce. The purpose of Safe Harbor is to protect a member organization which exports customer information from Europe to the United States from litigation under European law. In exchange the member organization pledges to follow the so-called Safe Harbor seven principles:

  • notice, a practice similar to the privacy policy notices of GLBA
  • choice, ie. opt-in for sensitive information, opt out otherwise, internal usage according to the original purpose of the transfer being authorized as a matter of course
  • onward transfer, making sure that a Safe Harbor member does not allow data to leave the Safe Harbor without legal or contractual protection
  • access, the right for the customer to access and correct information on him or herself
  • security, a requirement familiar to organizations subject to HIPPA
  • data integrity, a rule which echoes the spirit of FACTA
  • enforcement, giving customers access to a recourse mechanism, with proper verification procedures and potential for remedies with sanctions attached
It is instructive to notice the range of so called sensitive information, i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

-4- The notion of safe harbor was not invented for solving the problem with Europe. COPPA, which was enacted in 1998 to protect children under 13 years, already adopts such a mechanism as a way to decentralize enforcement to non governmental organizations, including self regulating industry associations.
As detailed in the final rule issued by the FTC on COPPA, a safe harbor relies on three elements:

  • written policy , called guidelines by the FTC
  • periodic independent reviews or assessments of member compliance
  • enforceable sanctions , euphemistically called "compliance incentives" by the FTC
Although this is not explicitly mentioned, one must add a fourth element:
a customer complaint process.

-5- The Safe Harbor from European law enforcement has not been an unqualified success.
As a politically inspired trade off between two opposing camps, this solution was bound to appear burdensome to some in the United States and suspiciously weak to some in Europe. For a sober assessment, see the 2004 report from the European Commission Working Staff.
The Safe Harbor contains more than 400 members at the end of 2003, with a roster growing by 150 a year (source the European Commission Working Staff), including companies such as Apple Computer, Inc. and Microsoft Corp. However since the US Federal government gave regulatory power over the Safe Harbor to the FTC and the Department of Transportation only the industries under these jurisdiction may apply. For example banks cannot register.
Practice by members can also contribute to limit use of Safe Harbor. For example and typical of many members, the membership card of GMC shows that data is transferred for purposes related to human resources rather than marketing.
Overall the main criticism of the European report is that, by failing to make their policies easily available to the public, many Safe Harbor members make compliance doubtful since, the object of the compliance being unknown, it can hardly be verified. Wide publicity of the privacy policy is indeed a requirement mandated for HIPPA compliance ("A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits").

-6- Since Safe Harbor from European law has had a significant but limited impact so far, one is curious to know how most law abiding American companies may deal with the issue. In fact several other ways exist:

Whether adhoc or generic, the mechanism needs to include the four elements of a successful solution: written policy, periodic audits, user complaint process and enforceable sanctions.


When considering a safe harbor solution, one must compare it to alternate solutions. The best choice will depend on:

  • whether the corresponding need is vital and long lasting
  • whether the need is narrow or diffuse
  • the level of resources which it is reasonable to commit
  • the public relation advantage of showing one cares
    by allowing third party organizations in an arm length relationship to approve and audit one's practices
For example a US data processor which does not have direct contact with customers but services a European company who does, has a narrow need. It might be better off with following some pre-approved model clauses.
On the other hand a US company which has just started to market to consumers in Europe through the web might find the Safe Harbor the quickest and least expensive option to limit exposure until it gains economies of scale.
Notice that companies like Apple Computer Inc and Microsoft Corp are not bound by financial resources and actively transfer data for rmarketing purposes. Their choice of Safe Harbor provides evidence of the political advantage of such a solution. Indeed Amazon.com itself, our case subject, registered in March 2003 thereby providing a formal closure to our story.

Tools available:

safe harbor organizations

a link to an organisation, public or private, does not represent an endorsement
and no compensation has been received nor sollicited by the author for its inclusion.
August 2005
Copyright © 2005 Philippe Coueignoux. All rights reserved.