Security concerns prompt Safe Harbor Web site changes

Because of security concerns, two features were removed last week from a U.S. government Web site designed to aid the flow of personal information and commerce between the U.S. and the European Union, according to a notice posted on the Web site.

A self-certification form and the "Safe Harbor list" were removed last Thursday from Safe Harbor, a Web site operated by the U.S. Department of Commerce, "in order to review the security of the information submitted to the Department by U.S. organizations," according to a posting on the site. The Department of Commerce did not return repeated calls seeking comment for this story.

The Safe Harbor site was established to help smooth over differences in the way the E.U. and the U.S. regulate online privacy and to aid in cross-border commerce. In 1998, the E.U. passed the Directive on Data Protection which prohibits the transfer of personal information to non-European nations who don't meet with standards set out in the directive. In order to ensure continued flow of information, the U.S. created a "safe harbor" system -- implemented in the Safe Harbor Web site -- for U.S. companies doing business in Europe.

Companies involved in the Safe Harbor program include Microsoft Corp., Intel Corp. and Hewlett-Packard Co.

When agreeing to become a Safe Harbor member, a company pledges to make the information it has gathered about individuals accessible, changeable and secure. Companies must also notify users that information is being collected and why, give them the opportunity to opt out and may only pass the information on to other Safe Harbor or Directive on Data Protection-compliant bodies.

The two removed features are expected to be reintroduced soon, according to the Web site, located at