Hundreds of US companies fake data protection certification in Europe



Hundreds of US companies who claim to belong to the US-Europe “Safe Harbour” data protection agreement may be lying about it and the agreement itself is due for an overhaul.

Chris Connolly, director of Australian consultancy firm Galexia, who appeared before the European Parliament on Monday, told officials that about one in seven claims of membership are bogus, EU Observer reported.

The Safe Harbour deal is supposed to ensure US firms comply with the EU’s stricter data protection laws when handling EU citizens’ data. It’s a voluntary self-certification scheme – all companies have to do is say they’ll comply with seven data protection provisions. If they don’t stick to what they’ve agreed, they might be considered “deceptive” by the US Federal Trade Commission and be stung with penalties of up to $12,000 a day.

About 3250 companies are currently listed by the US Department of Commerce as active members of the scheme, including giants such as Google, Facebook and Microsoft.

Galexia’s research found 427 false claims of membership in September 2013, up from “over 200” false claims in 2008. “In those 427 organisations, you will find large household names in Europe, with hundreds of millions of customers”, Connolly said.

Even for companies who are properly registered and compliant, there are doubts about how much protection the scheme really gives to EU citizens. In July, European Commissioner for Justice Viviane Reding announced a review of the scheme, with recommendations expected before the end of the year.

The European Commission is working on a separate data protection package to create a “modern set of common data protection rules”. Under the draft law, EU citizens would always be able to make a complaint to their local data protection authority – instead of a German citizen, for example, needing to travel to Ireland to complain about Facebook.

Businesses would also be able to go to a single point for a decision across Europe rather than deal with different local data protection authorities. According to EU Observer, Reding said on Monday that the law’s final draft should be ready in December 2013.

[contentad keyword=]

Image credit: NASA/Goddard Space Flight Center – Scientific Visualization Studio