Abstract

The 25 European Union (EU) Member States require that their residents' personal information not be transferred to countries that do not protect that information adequately. In 2000, the EU ruled that the United States (US), through its voluntary Safe Harbor program, met that requirement. Since that time, however, the EU has charged that many US companies that claim to be in compliance with Safe Harbor policies are not. In this article, I report on a study of the privacy-policy statements of 20 randomly selected US companies that claim to be in compliance. Of the 20, 19 are not in compliance. This study argues that as EU Member States begin to examine Safe Harbor carefully, they are likely to force US companies to adhere to more stringent privacy policies. The burden of this adherence will be borne by US IT professionals.