The Center for Digital Democracy (CDD), a U.S. group campaigning for digital consumer rights, has asked the Federal Trade Commission to investigate 30 companies for non-compliance with the Safe Harbor agreement between the U.S. and the European Union. The companies include Salesforce.com, AOL and Adobe, as well as a bunch of data brokers like Acxiom and Datalogix.
The Safe Harbor scheme essentially lets U.S. companies self-certify that they adhere to strong data protection standards, allowing them to legally process the data of European customers. Edward Snowden’s NSA revelations put a major hole in the scheme, as EU data protection rules don’t allow for U.S. authorities to rifle through Europeans’ personal data; indeed, Europe’s highest court is about to examine this issue as it relates to Facebook.
Whether or not Safe Harbor is still worth the paper it’s written on, the CDD is going after these 30 companies because they allegedly haven’t stuck to the standards they promised to stick to, regarding transparency and consent. In a statement, the CDD accused the companies of “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent.”
In the U.S., the FTC has responsibility for enforcing Safe Harbor. According to the CDD, it isn’t doing so properly. In its statement, CDD Executive Director Jeff Chester said:
“Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further their information-gathering practices without serious scrutiny. Companies are relying on exceedingly brief, vague or obtuse descriptions of their data collection practices, even though Safe Harbor requires meaningful transparency and candor. Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online.”
The group is also annoyed that the companies don’t provide EU consumers with meaningful ways to opt out of data collection and processing.
The full company list: Acxiom, Adara Media, Adobe, Adometry, Alterian, AOL, AppNexus, Bizo, BlueKai, Criteo, Datalogix, DataXu, EveryScreen Media, ExactTarget, Gigya, HasOffers, Jumptap, Lithium, Lotame, Marketo, MediaMath, Merkle, Neustar, PubMatic, Salesforce.com, SDL, SpredFast, Sprinklr, Turn and Xaxis.
The CDD’s statement goes so far as to call for the wholesale suspension of Safe Harbor while it gets overhauled “to make sure it actually works.” That would be pretty drastic – the European Parliament has called for it, but the Commission balked. We’re talking about effectively removing the license of everyone from Google to Facebook to operate legally in Europe, albeit on a temporary basis.
It’s a bit odd to see such a call coming from a U.S. advocacy group, but it kind of makes sense when you consider that the CDD is also part of an international group called Trans Atlantic Consumer Dialog (TACD), which also takes in all the big European consumer rights groups. This appears to be a coordinated action, with CDD taking the fight to the FTC on behalf of activists on both sides of the pond. Indeed, Chester told me via email that the CDD favored “the EU’s approach to privacy as a human right.”
Here’s the request for investigation in full: