The US Department of Commerce has added the following statement to the landing page of its Safe Harbor website:
* * * *
On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”
In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.
* * * *
This is an incredibly obtuse and indefensible statement under the circumstances that exist. By indicating that the DOC will continue processing submissions for self-certification, while cloaking its description of the CJEU ruling in a legalistic reference, the department is encouraging consumers and companies to believe that Safe Harbor still provides the protections and assurances that are legally required. This is arguably an "unfair and deceptive" practice that should warrant FTC review and intervention.
It does make sense to leave the Safe Harbor website accessible, since links to it are contained in thousands of privacy policies and it contains useful information about companies and their handling of personal data. However, the site should be far more honest and informative about the current situation. Yes, it is difficult to precisely define what the current status of Safe Harbor is, but to say that administration and self-certification will continue as usual is simply preposterous. "Under your laws, the framework we agreed upon is dead; under my laws, it lives on." Oh, please!