Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.
The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms. “Any certification older than seven years old is not valid.” The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.
A large number of organisations failed to comply with Principle 7 — Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers. Many of these false claims have continued for several years,” said the study, which examined compliance with just one of the scheme’s seven Safe Harbor Framework Principles. The study was not the first to find problems in the implementation of the Safe Harbor programme.
“Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers,” it said.
Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.
http://www.theregister.co.uk/2010/05/25/eu_us_privacy/