How to file a Safe Harbor request for your personal data


This is a short practical guide for Europeans and Swiss residents to file a Safe Harbor request for their personal data from a US company.

What is Safe Harbor?

The International Safe Harbor Privacy Principles are a set of regulations between the United States and either the European Union or Switzerland, which allow individuals based in those countries to claim back their personal data from US-based corporations.

Copy-pasting from wikipedia, these principles must provide:

  • Notice - Individuals must be informed that their data is being collected and about how it will be used.
  • Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
  • Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
  • Security - Reasonable efforts must be made to prevent loss of collected information.
  • Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
  • Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
  • Enforcement - There must be effective means of enforcing these rules.

This is meant to replicate a level of privacy protection similar to that enjoyed at home. Some companies implement these rules as services that you can activate yourself (like Facebook and Twitter, for instance, although some are arguing Facebook is not transparent enough).

How to apply

In general, it is really easy. I will describe the process for one company, Coursera. The first step is to look at the company's Privacy Policy. If it mentions Safe Harbor (as Coursera does), then you can proceed. It might be that the privacy policy lists an email address to contact. If not, the alternative is to go to the dedicated site of the Federal Trade Commission. There are two lists there, one for U.S.-E.U data exchange, the other is the U.S.-Swiss list. You should then look up the relevant page. In Coursera's case , it is here.

When everything goes smoothly, you should look up on that page the Organization Contact. In Coursera's case, they have listed security@coursera.org, which is not necessarily the best address to use. Much better seems to be support@courserahelp.zendesk.com.

You should then email that address with a very generic email wiht your demand. Here is an example, which you could cut and paste:

To whom it may concern,

I would like to request a copy of all the personal data held by your company about me.
Please also describe what use you make of this data, and include a list of third parties with whom you are sharing it.

Sincerely yours,

XYZ

Then, you should just wait for a bit.

What if I don't get what I want?

Your request might have different outcomes. I see a few possibilities:

  • you might get everything you asked for;
  • you might never hear back;
  • you might get some information, but not be satisfied.

If you want to push the matter, you can always insist and argue why you should get more of the data. Private data is meant to be understood in a very broad sense under the original EU directive, and Safe Harbor should reflect that.

Still, if this doesn't work, it's important to know that you have a recourse.

Safe Harbor is based on self-enforcement: the tech company informs the FTC that it complies with the principles. As part of the filing, the company has to include an option for Dispute Resolution, also listed on the site of the FTC. In Coursera's case, they list the International Center for Dispute Resolution division of the American Arbitration Association as the independent recourse mechanism.

At this point, you should google this arbitrator. For Coursera, you will quickly land at this site, which has more information, including the fact that the arbitration procedure is free (for the claimant). This is not always the case, some arbitration companies require a filing fee of around $200.

I have not had to go with an arbitrator yet, so I can't help you any further!