You may have seen in the news today that the EU-US Safe Harbor agreement was declared invalid by the Court of Justice of the European Union (CJEU).
What is Safe Harbor?
Safe Harbor was a framework jointly created by the European Commission and the US Department of Commerce to allow US-based companies to bypass the restrictions on the transfer of personal data between the US and the EU. The Safe Harbor Principles are voluntary, agreed-upon practices for transmitting personal data to and from US cloud and other service providers. Violations could lead to heavy fines and other penalties from the US Federal Trade Commission.Small to mid-sized US companies are considered especially lax in compliance or completely unaware of the requirements around data gathering, data transferring, and data storing practices for EU citizens.
The most contentious issue is that the USA Patriot Act and Foreign Intelligence Surveillance Amendments Action (FISA) make it easy for US law enforcement and intelligence organizations to obtain and examine all data from US companies stored in the ‘cloud’, including data from EU citizens and European businesses. This act for US companies supersedes the EU data protection laws. Most cloud providers, especially the market leaders like Microsoft, Apple, Google, Amazon, Rackspace, fall within US jurisdiction because they are US companies or they conduct business in the US. However, data does not have to be stored physically in the US to be subject to these acts. If you do business with the US, data on servers outside the US are also accessible.
While US officials are not given 100% unrestricted access to foreign data, they are required to obtain a warrant from the non-public Foreign Intelligence Surveillance Court, Edward Snowden’s revelations of corporate, government, and personal espionage certainly didn’t help with trust issues.
Another interesting fact is the Fourth Amendment of the US Constitution protects American citizens from unwarranted searches but that does not apply to non-citizens so everyone else is not protected.
Today, the CJEU ruling made it clear that in their view, Safe Harbor does not in fact provide an adequate level of data protection for EU citizens, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.
So, how does it affect US companies?
The decision invalidating Safe Harbor has the following consequences:
- Company transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful. The EU is working hard to provide lawful paths via authorization by data protection authorities but it’s still unclear how it will work. Stay tuned, Globig will provide more clarity as we receive more information.
- US and other companies that are relying on Safe Harbor as a compliance framework between company-to-company data transfers or inter-division data transfers will need to find other legal alternatives. What those alternatives are is unfortunately also unclear at this time. Globig will provide more details as they become known.
- US-based service providers believing they are protected under Safe Harbor to receive data from European customers (that includes any personal data such as email, address, account, etc.) will need to provide alternative guarantees for those customers to be able to engage their services lawfully or be subject to legal recourse.
- Contacting all third-party vendors may be necessary to review their contracts to see how data is being protected and if additional measures need to be put in place. If Safe Harbor Principles are the primary source of data protection, you’ll want to review and implement additional safety options.
- It has been suggested that alternatives for lawful data transfers include Binding Corporate Rules that are approved by the EU or following Model Contracts as options to unlawful data sharing practices using Safe Harbor but from what we know about these choices, they seem slow, cumbersome and are not necessarily safer options.
Information about Model Contracts
Information about Binding Corporate Rules
There will be a lot more information available in the next couple of days and Globig will stay on top of the situation and provide updates as well as insights as this situation unfolds.
While you’re waiting for more, here is some good reading on Safe Harbor from our favorite International legal bloggers:
http://paper.li/EUdiscovery/1312257398
Globig.co is a global knowledge platform and vetted vendor marketplace that accelerates global expansion by providing knowledge, resources, tools, and connections needed to go global. Launching Oct 2015