Does the Safe-Harbor Program Adequately Address Third Parties Online?

To date, the EU-US Safe Harbor Program leads in governingthe complex and multi-directional flows of personal information online. As commerce began to thrive in the onlinecontext, the European Union was faced with the challenge of ensuring that personalinformation exchanged through online services were grantedlevels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemealand sectoral approach to privacy legislation in the United states was deemed incompatiblewith the EU approach. While the SafeHarbor program did not aim to protect the privacy of citizens outside of theEuropean Union per say, the program has in practice set minimum standards foronline data privacy due to the international success of American onlineservices.

While many citizens outside of the US and EU benefit fromthe Safe Harbor Program, it remains unclear how successful the program will be in anonline ecosystem where third-parties are being granted increasingly more rightsover the data they receive from first parties. Using Facebook as a site of analysis, I will attempt to shed light onthe deficiencies of the framework for addressing the complexity of data flowsin the online ecosystem. First, I will arguethat the safe harbor program does not do enough to ensure that participants areheld reasonably responsible third party privacy practices. Second, I will argue that the informationasymmetries created between first party sites, citizens, and governance bodiesvis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-USSafe-Harbor Agreement

In 1995, and based on earlier OECDguidelines, the EU Data Directive on the “protection of individuals withregard to the processing of personal data and the free movement of such data”was passed [1].  The original purpose of the EU PrivacyDirective was not only to increase privacy protection within the EuropeanUnion, but to also promote trade liberalization and a single integrated marketin the EU.  After the Data Directive waspassed, each member state of the EU incorporated the principles ofthe directive into national laws accordingly. 

While the Directive was successful in harmonizing dataprivacy in the European Union, it also embodied extraterritorialprovisions, giving in reach beyond the EU.  Article 25 of the Directive states that theEU commission may ban data transfers to third countries that do not ensure “anadequate level of protect’ of data privacy rights [2].  Also, Article 26 of the Directive, expandingon Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level ofprotection” if the data controller does not enter into a contract that adducesadequate privacy safeguards [3]. 

In light of the increased occurrence of cross-borderinformation flows, the Data Directive itself was not effective enough to ensure thatprivacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by theEU Council and the US Department of Commerce as a way of mending the variantlevels of privacy protection set out in these jurisdictions, while also promotingonline commerce.

Social NetworkingSites and the Safe-Harbor Principles

The case of social networking sites exemplifies the easewith which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sitesare registered American entities, they continue to attract users not only fromthe EU, but also internationally. In agreementto the EU law, many social networking sites, including LinkedIn, Facebook,Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takesplace in the United States in accordance with U.S. law and relies, to a greatdegree, on enforcement by the private sector. TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor programamong social networking sites.

Drawing broadly on the principles embodied within the EUData Directive and the OECD Guidelines, the seven principles of the Safe-Harborwere developed. These principles includeNotice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrityand Enforcement. The principle of “Notice”sets out that organizations must inform individuals about the purposes forwhich it collects and uses information about them, how to contact theorganization with any inquiries or complaints, the types of third parties towhich it disclosures the information, and the choices and means the organizationoffers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity tochoose to opt out whether their personal information is disclosed to a thirdparty, and to ensure that information is not used for purposes incompatible with the purposes forwhich it was originally collected. The“Onward Transfer” principle ensures that third parties receiving informationsubscribes to the Safe Harbor principles, is subject to the Directive, orenters into a written agreement which requires that the third party provide atleast the same level of privacy protection as is requires by the relevantprinciples.

The principles of “Security” and “Data Integrity” seek toensure that reasonable precautions are taken to protect the loss or misuse ofdata, and that information is not used in a manner which is incompatible withthe purposes for it is has been collected—minimizing the risk that personalinformation would be misused or abused. Individuals are also granted the right, through the access principle, toview the personal information about them that an organization holds, and toensure that it is up-to-date and accurate. The “Enforcement” principle works to ensure that an effective mechanismfor assuring compliance with the principles, and that there are consequencesfor the organization when the principles are not followed.

The principles of the program are rather quite clear andenforceable in the first party context, despite some prevailing ambiguities.  The privacy policies of most socialnetworking services have become increasingly clear and straightforward sincetheir inception.  Facebook, for example,has revamped its privacyregime several times, and gives explicit notice to users how theirinformation is being used.  The privacypolicy also explains the relationship between third parties and your personal information—includinghow it may be used by advertisers, search engines, and fellow members.    

With respect to third party advertisers, principles of“choice” are clearly granted by most social networking services.  For example, the Network Advertising Initiative, aself-regulatory initiative of the online advertising industry, clearly listsits member websites and allows individuals to opt out of any targetedadvertising conducted by its members.  InFacebook’s description of “cookies” in their privacy policy, a direct link to NAI’sopt out features is given, allowing individuals to make somewhat informedchoices about their participation in such programs.  This point is, of course, in light of thefact that most users do not read or understand the privacy policies provided bysocial networking sites [4].It is also important to note that Google—a major player in the onlineadvertising business, does not grant users of Buzz and Orkut the same “opt-out”options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, theSafe Harbor Program has also successfully investigated and settled severalprivacy-related breaches which have taken place on social networking sites.  Of the most famous cases is Lane et al. v. Facebook et al.,which was a class action suit brought against Facebook’s Beacon Advertisingprogram.  The US Federal Trade Commissionwas quick to insight an investigation of the program after many privacy groupsand individuals became critical of its questionable advertising practices.  The Beacon program was designed to allowFacebook users to share information with their friends about actions taken onaffiliated, third party sites.  This had included,for example, the movie rentals a user had made through the Blockbuster website. 

The Plaintiffs filed a suit, alleging that Facebook and itsaffiliates did not give users adequate notice and choice about Beacon and thecollection and use of users’ personal information.    The Beacon program was ultimately found tobe in breach of US law, including the VideoPrivacy Protection Act, which bans the disclosure of personally identifiablerental information.  Facebook hasannounced the settlement of the lawsuit, not bringing individual settlements,but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated toprivacy and data-related issues.  Other privacyrelated investigations of social networking sites launched by the FTC under theSafe Harbor Program include Facebook’s privacychanges in late 2009, and the Google’s recently released Buzzapplication.

Despite the headway the Safe Harbor is making, many privacyrelated questions remain ambiguous with respect to the responsibilities social networkingsites through the program.  For example,Bebo reserves the right tosupplement a social profile with addition information collected from publiclyavailable information and information from other companies.  Bebo’s does adhere to the “notice principle”—asit makes know to users how their information will be used through their privacypolicy. However, it remains unclear if appropriate disclosures are given by Beboas required by Safe Harbor Framework, notably as the sources of “publiclyavailable information” as a concept remains broad and obscured in the privacy policy.  It is also unclear whether or not Bebo usersare able to, under the “Choice” principle, refuse to having their profiles frombeing supplemented by other information sources.  Also, under the “accessprinciple”, do individuals have the right to review all information held about them as “Bebousers”?  The right to review informationheld by a social networking site is an important one that should be upheld.  This is most notable as supplementary informationfrom outside social networking services is employed  to profile individual users in ways which maywork to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the SafeHarbor has improved, and most of these sites now have privacy policies whichexplicitly address the principles of the Program. It should also be noted that public interestgroups, such as Epic, the Center for Digital Democracy, and The ElectronicFrontier Foundation, have played a key role in ensuring that data privacybreaches are brought to the attention of the FTC under the program. While the program has somewhat adequatelyaddressed the privacy practices of first party participants, the number ofthird parties on social networking sites calls into question thecomprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhereto the Safe Harbor Program. However, itsgrowing number third party platform members may not always adhere to best practicesin the field, nor can Facebook or the Safe Harbor Program guarantee that theydo so.

The Safe Harbor Program does require that all participantstake certain security measures when transferring data to a third party. Third parties must either subscribe to thesafe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may alsoenter into a written agreement with a third party requiring that they provideat least the same level of privacy protection as is required by programprinciples. Therefore, third parties ofparticipating program sites are, de facto, bound by the safe harbor principles bythe way of entering into agreement with a first party participant of theprogram. This is the approach taken bymost social networking sites and their third parties.

It is important to note, however, that third parties are notgoverned directly by the regulatory bodies, such as the FTC.  The safe harbor website also explicitly notesthat the program does not apply to third parties.  Therefore, as per these provisions, Facebook mustadhere to the principles of the program, while its third party platform members(such as social gaming companies), only must do so indirectly as per a separatecontract with Facebook.  Theeffectiveness of this indirect mode of governing of third party privacypractices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure thatthird parties use information from Facebook in a manner which is consistent tothe safe harbor principles, the company explicitly waives any guarantee that thirdparties will “follow their rules”.   Prior to allowing third parties to access anyinformation about users, Facebook requires third parties to agree to terms that limit theiruse of information, and also use technical measures to ensure that they onlyobtain authorized information.   Facebookalso warns users to “always review the policies of third party applications andwebsites to make sure you are comfortable with the ways in which they useinformation”.  Not only are usersrequired to read the privacy policies of every third party application, but arealso expected to report applications which may be in violation of privacyprinciples.  In this sense, Facebook notonly waives responsibility for third party privacy breaches, but also places furtherregulatory onus upon the user.

As the program guidelines express, the safe harbor relies toa great degree on enforcement by the private sector. However, it is likely that a self-regulatoryframework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook mustensure that the privacy practices of third parties are adequate. However, at the same time, the company maysimultaneously waiver their responsibility for third party compliance with safeharbor principles. Therefore, it remainsquestionable as to where responsibility for third parties exactly lies. When third parties are not directlyanswerable to the governing bodies of safe harbor program, and when first partiescan to waive responsibility for their practices, from where does the incentive toeffectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technicalmeasures to ensure third party compliance, the room for potential dissonancebetween speech and deed  is worrisome.  Facebook is required to ensure that thirdparties provide “at least the samelevel of privacy protection” as they do. However, in practice, this has yet to become the case.  A quick survey of twelve of the most popularPlatform Applications in the gaming category showedthat third parties are not granting their users the “same level of privacyprotection”[5].  For example, section 9.2.3of Facebooks “Rights andResponsibilities” for Developers/Operators of applications/sites statesthat they must “have a privacy policy or otherwise make it clear to users whatuser data you are going to use and how you will use, display, or share thatdata”. 

However, out of the 12 gaming applications surveyed, fourcompanies failed to make privacy policies available to users before they granted the applicationaccess to the personal information, including that of their friends [6].  After searching for the privacy policies onthe websites of each of the four social gaming companies, two completely failedto post privacy policies on their central websites.   This practice is in direct breach of thecontract made between these companies and Facebook, as mentioned above.  In addition to many applications failing to clearlypost privacy policies, many of provisions set out in these policies werequestionable vis-à-vis safe harbor principles. 

For example Zynga, makes of popular games Mafia Wars andFarmville, reserve the right to “maintain copies of your contentindefinitely”. This practice remains contraryto Safe Harbor principles which states that information should not be kept forlonger than required to run a service. Electronic Arts also maintains similar provisions for data retention inits privacy policy. Such practices arerather worrisome also in light of the fact that both companies also reserve theright to collect information on users from other sources to supplement profilesheld. This includes (but is not limitedto) newspapers and Internet sources such as blogs, instant messaging services, andother games. It is also notable tomention that only one of the twelve social gaming companies surveyed directlyparticipates in the safe harbor program.

In addition to the difficulties of ensuring that safe harborprinciples are adhered to by third parties, the information asymmetries whichexist between first party sites, citizens, and governance bodies vis-à-visthird parties complicate this model.  Foremost,it is clear that Facebook, despite its resources, cannot keep tabs on thepractices of all of their applications.  This puts into question if industry self-regulation can really guaranteethat privacy is respected by third parties in this context.  Furthermore, the lack of knowledge orunderstanding held by citizens about how third parties user their informationis particularly problematic when a system relies so heavily on users to reportsuspected privacy breaches.  The same islikely to be true for governments, too.  Asone legal scholar, promoting a more laisse-fair approach to third partyregulation, notes—multiple and invisible third party relationships presentschallenges to traditional forms of legal regulation [7]. 

In an “open “social ecosystem, the sheer volume of dataflows between users of social networking sites and third party players appearsto have become increasingly difficult to effectively regulate. While the safe harbor program has beensuccessful in establishing best practices and minimum standards for dataprivacy, it is also clear that governance bodies, and public interest groups,have focused most attention on large industry players such as Facebook. This has left smaller third party players onsocial networking sites in the shadows of any substantive regulatory concern. Ifone this has become clear, it is the fact that governments may no longer beable to effectively govern the flows of data in the burgeoning context of “opendata”.

As I have demonstrated, it remains questionable whether ornot Facebook can regulate third parties data collection practiceseffectively. Imposing more stringentresponsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would beundue to impose liability on social networking sites for the data breaches ofthird parties. However, it is notunreasonable to require sites like Facebook go beyond setting “minimumstandards” for data privacy, towards taking a more active enforcement, if eventhrough TRUSTe or another regulatory body. If the safe harbor is to be effective, it cannot allow program participantsto simply wave the liability for third party privacy practices. The indemnity granted to third parties on socialnetworking sites may deem the safe harbor program more effective in sustainingthe non-liability of third parties, rather than protecting the data privacy ofcitizens.

[1] Official Directive 95/46/EC

[2] 95/46/EC

[3] Ibid

[4] See Acquisit,A. a. (n.d.). Imagined Communities: Awareness, Information Sharing, and Privacyon Facebook. PET 2006

[5] Of the Privacy Policy browsed include, Zynga, RockYou!, Crowdstar, Mind Jolt, Electronic Arts, Pop Cap Games, Slash Key, Playdom,Meteor Games, Broken Bulb Studios, Wooga, and American Global Network.

[6] By adding an application, users are also sharing withthird parties the information of their friends if they do not specifically  opt out of this practice.

[7]See Milina, S. (2003).Let the Market Do its Job: Advocating an Integrated Laissez-Faire Approach toOnline Profiling. Cardozo Arts and Entertainment Law Journal .