Quite a bit has been made of the EU decision to strike down the Safe Harbor Agreement between the U.S. and EU on October 6th of this year. The agreement, in essence, was created to reconcile the differences between the privacy laws of the U.S. and the Data Protection Directive of the EU regarding the handling, storage, and transfer of personal information. As you can imagine, many of our international customers -- or U.S. customers with international visitors -- have been very concerned about this and the implications for their business and vendors.
So, with that, I wanted to provide a quick synopsis of the situation to help people get a grasp on the topic and understand the implications at a high-level. Much of this is a legal issue, so I’m going to keep my commentary light here as I’m not a lawyer (but play one on TV), and I would welcome the opportunity to speak with any of you offline (email@example.com) about this and provide more specific guidance.
Where did this come from?
Quite frankly, this was a bizarre ruling from the European Court of Justice (ECJ) based upon a less broad question asked of the ECJ by the Irish High Court (IHC). The IHC was simply asking if they were bound to the principles of the Safe Harbor principles or if they could do an audit of their own. For some reason, the ECJ took this from 0 to 100 and just invalidated the whole thing.
Who/What does this impact?
First and foremost, this only applies to personal data and not production data or environmental measurements. So, if you are not collecting any personal data about people in the EU, you can carry on without any worry. However, for those that are, you can no longer rely on Safe Harbor to send data to the U.S. because of this ruling.
From a vendor perspective, there are over 4,400 Safe Harbor-certified companies that now no longer have a legitimate basis to transfer personal data from the EU to the U.S. One of the biggest sources of pain for our customers will be from an analytics perspective, where vendors such as Adobe and Google are already working on their responses. Adobe has model contract clauses in place and I would expect Google to do something similar.
What are the alternatives?
A key point that seems a bit lost in all the noise right now is that Safe Harbor isn’t actually the only way you can send personal data outside of the EU. Model contract clauses, informed consent, and a few other options have already existed for quite some time to help organizations be less reliant on the Safe Harbor principles as a sole lifeline for data storage and transfer.
For anyone that is using a cloud provider (such as Amazon), you’re most likely already covered by their contract clauses, but it is worth looking into just to be certain. At the end of the day, there might be some short term pain felt here as the panic sets in. However, given that there are alternatives, most organizations should be able to mitigate these waters.
One point of note here on the alternatives: many of these are coming into question too, mostly in Germany, which continues to make this an ever-evolving landscape for organizations right now.
Is there a resolution in sight?
The deadline for the European Commission to set new Safe Harbor rules with the U.S. is January 31, 2016. However, if no agreement is put in place then, this also becomes the deadline for organizations to find alternatives to Safe Harbor since it has been deemed invalid.
This puts organizations in an interesting spot, quite frankly. The good news is that the EU has promised to not prosecute any organizations for exporting personal data to the U.S. until after this deadline as a result of the ongoing work to devise a new general regime. The bad news is that the deadline could come and go without any resolution and leave organizations to find alternatives to Safe Harbor. The even more bad news is that enforcement is at the local (national) level and not the EU itself, which could result in a wide variance of enforcement across the countries.
So, what should you do? I would enhance the security of your data storage and transfer protocols, analyze your current setup and contracts, and outline alternatives with your vendors if an agreement is not reached on January 31 of next year.
I hope that you found this informative and helpful. We are here to help and advise you as your strategic partner, so please don’t hesitate to reach out to me directly if you should have any other questions on this issue. Happy Holidays!