The Safe Harbour decision - What does it mean?
By Andrew Hewson, Principal Consultant, MTI Technology - 29 October 2016
The “Safe Harbour” agreement between the US and EU has recently been ruled as invalid by The European Court of Justice (EUCJ). The court states that if an agreement cannot be made between the two, by 31st January 2016, regulators will enforce the ruling.
What is the Safe Harbour agreement?
The Safe Harbour decision, originally approved by the EU in 2000, is an agreement that enables US companies to transfer data from its customers or users in Europe. This is with the understanding that the US will protect the data to the same standards Europe applies.
The case arose from a complaint made by Austrian privacy campaigner, Max Schrems, who felt that that the US was unable to offer real protection to international data against its government’s surveillance. Subsequently, the complaint was referred to the EUCJ.
The court has recently agreed that the current US data protection law is insufficient, deeming the Safe Harbour framework ineffective with immediate effect.
Who is affected?
It affects companies across the EU and in the US. More than 4,000 companies rely on the `Safe Harbour’ framework and have done so for the past 15 years.
What does this mean for businesses?
- Suspension of data - Individual European countries can choose to suspend the transfer of data to the US.
- Individual criteria - European countries can set an individual data protection criteria for US companies' handling indigenous personal data.
- New regulations - If all European countries proceed to set individual data handling and processing criteria, it will affect data transfers all over the globe, not only to the US. If this was to happen, it will create an extremely complex and highly regulated environment in Europe.
In other words, any organisation that stores personal data through a third party will have to determine the geographical location of the data processing or storage facility, of all of its partners.
For some businesses, one solution is to gain consent of the data subject. This may include employees as well as social media customers. Obtaining consent for all data subjects can be a vast and laborious task. For some companies, many subjects may also decline consent.
Global US companies may need to introduce and develop new methods of processing and storing data to ensure it remains within European borders. This may be achievable for larger corporations such as Google and Facebook, however for smaller businesses, this may be more of challenge financially. Without the budget to create and maintain operations in Europe, smaller businesses could suffer.
Without a grace period from the court, international and global organisations could face a bureaucratic nightmare. If every European country attempts to create its own national data privacy regulations, this will not only affect data transfer with the US, but will also impact individual nations sharing data.