Sensitive data concerning European citizens and companies is not safe in the US, legal experts have warned.

Many US companies are wrongfully claiming they are certified to store and process data from Europe, a practice that has been going on for about 10 years.

The federal government in Washington DC, does not provide meaningful oversight, and the European Commission is ignoring the swindle, say the experts. Moreover, a research report highly critical of the fraudulent practices has been withheld for months.

The European Commission must clarify and rectify this situation, according to Sophie in 't Veld, a Member of the European Parliament, where she sits with the Alliance of Liberals and Democrats for Europe.

Data safe haven?

The Safe Harbor principles form a crucial agreement between the EU and US and only US companies that are certified are allowed to process and store data of European consumers and companies.

There are seven principles, including 'unambiguous consent' and an opt-out for those involved, reasonable data security, and clearly defined and effective enforcement. All US companies providing email, chat services, social networking or cloud computing facilities must meet all seven requirements. Over 2,000 companies have been certified, including giants like Microsoft, Facebook and Google.

The safety of this harbor is not absolute, though, as the US government can demand any data and plough through it if the Patriot Act is invoked.

Self-regulation turns to chaos

But there is much more going on. The rules and policies of Safe Harbor are as soft as butter and there's no oversight. The main problem lies with the US Department of Commerce, which administers the Safe Harbor list of companies. Companies put themselves on this list through self-certification, without anybody checking anything.

The department itself is clear on this: "In maintaining the list, the Department of Commerce does not assess and makes no representations to the adequacy of any organisation's privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list."

The result of this self-regulation is disastrous. Hundreds of US companies claim they are certified, without meeting the necessary conditions. These problems had already surfaced in 2002 and 2004, when the EU commissioned two studies.

In 2008 nothing had improved and the independent research and consultancy company Galexia reached shocking conclusions. Of the 1,597 organisations on the Safe Harbor list, only 348 met all seven principles in the most basic way, Galexia reported.

NEXT PAGE: Sustained fraud