Since July 2000, a key decision by the European Commission commonly known as the Safe Harbor Decision declared that U.S. privacy principles complied with the European Union (EU) Data Protection Directive. The landmark decision opened the doors for American companies to store and handle European customer data. As a result, this made it easier for U.S. firms to do business in Europe under strict privacy rules that prevent the transfer of data to countries that do not adhere to them.
However, on October 6, 2015, the European Court of Justice (ECJ) issued a judgment that declared that the Safe Harbor Decision was, in fact, invalid. This was the result of a complaint filed by Austrian privacy activist Max Schrems against Facebook regarding how his personal data was handled. The ECJ said that the existing Safe Harbor agreement did not provide sufficient protection because not all organizations allowed to handle European data were required to comply with EU privacy rules.
What Does this Mean for U.S. Businesses?
According to The Guardian, while 4,400 companies will be affected, the impact of the decision on large U.S. technology companies operating within the EU will likely be limited to a large amount of paperwork. In the absence of the Safe Harbor agreement, companies will need “model contract clauses” – agreements that authorize the transfer of European data outside of the continent. Many companies have such clauses drafted already, but others could be faced with stopping data transfer until they have done so.
Whatever the case, it is clear that American companies that want to handle European data will have to ensure that they do not transfer or store any personal data outside of Europe. For some companies, this could mean investing resources in building or outsourcing to European data centers.
“American companies are going to have to restructure how they manage, store and use data in Europe and this takes a lot of time and money,” said Mike Weston, CEO of Profusion, a data science consulting firm.
The European Commission, the body responsible for Safe Harbor, has made it clear that there will be no sudden stop to the transfer of data from Europe as a result of the ECJ’s decision.
“Data flows can continue in the meantime under other arrangements,” said Frans Timmermans, Vice-President of the European Commission.
Reaction from U.S. Companies
The response from American technology companies has been varied, but there is a common message that a new solution must be found to ensure that there is a balance of privacy protection and the ability to conduct regular business.
“We’re committed to work in close partnership with others in the industry and to supporting data protection authorities and governments to help achieve the goals that the ECJ ruling set out,” wrote Brad Smith, President and Chief Legal Counsel for Microsoft on a company blog.
Facebook, the social network that was the subject of Schrem’s complaint, used stronger words to express a sense of urgency for a resolution.
“It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security,” the company said in a public statement.
Where Do We Go from Here?
While it may seem daunting to find a new solution, there is still hope. Thankfully, there are a number of initiatives that have been going on that have the potential to address the concerns and issues with the original Safe Harbor agreement.
For instance, the European Commission issued interim guidelines to businesses concerning transferring data outside of Europe that will apply until a new agreement is reached. This should provide a framework that will allow business operations to continue uninterrupted until a new agreement has been reached.
On the legislative front, the European Parliament has finally recently agreed upon the text for a new General Data Protection Regulation (GDPR) that will replace the existing Data Protection Directive (DPD). One of the key differences is that while the DPD could be adapted according to each EU member country, the GDPR will be directly applicable to all 28 member states. This will address the problems with a lack of data privacy harmonization that has made it hard for foreign companies to ensure compliance in each EU country.
There is also a standard available for protecting personally identifiable information (PII) when using cloud services that would be helpful for many businesses affected by Safe Harbor. ISO 27018 is a standard that was adopted by the International Organization for Standards (ISO) in 2014. Currently only a handful of companies currently comply with the standard, such as Microsoft and Dropbox. However, the fact that this standard is based on EU data-protection laws, being ISO 27018 compliant can ensure that companies are ready for any privacy regulation changes.
Finally, negotiations towards a new agreement have actually been going on for some time and appear to be reaching a consensus from both parties. On October 26, 2015, the EU had announced that it had reached an agreement in principle with the U.S. regarding a new data-transfer pact.
There clearly remains a great deal of work to be done in order to resolve this intercontinental privacy issue. Nonetheless, companies dealing with each other on both sides of the Atlantic should be able to continue operations when it comes to data transfers outside of Europe until a permanent solution is found.
“At the heart of this issue is consumer trust,” said Jon Jones, President of Trulioo. “Consumers want the convenience and choice that global commerce offers. How their data is used, along with the flow and storage of their data, is critical not just in the U.S. but across all countries."