When it comes to governing and protecting data, whether personal emails or sensitive corporate documents, privacy is one area that is poised take center stage in 2016 as individuals, companies and governments methodically anatomize what can or cannot be accessed in the name of protection.
Currently, most companies, primarily US-based Internet providers with users in Europe, are operating in a legal limbo, since there is no current framework for the collection and storage of personal information across the Atlantic. That is because just three months ago the European Court of Justice (ECJ), struck down the 27-year-old "Safe Harbor" agreement between the EU and the US.
On Oct. 6, 2015 the ECJ ruled that the Safe Harbor Framework, which allowed US companies to transfer data outside the European Union by declaring compliance with EU data laws, is invalid.
The ECJ decision launched chiefly from a case brought by Austrian privacy activist Max Schrems, who objected to Facebook's transfer of data from its servers in Ireland to the US.
Schrems complained to Ireland's Data Protection Commissioner that in light of Edward Snowden's 2013 revelations about the scope of data gathering by the NSA, the Safe Harbor regime failed to provide data with the protection required under European law.
Still, according to a recent Wall Street Journal article, it seems the man who was the driving force behind the invalidation of the Safe Harbor data-transfer agreement between the U.S. and EU is not optimistic that a new deal will offer a reliable solution for businesses looking to move data across the continents.
Although a European Commission working party has warned that law enforcement could start examining data transfer mechanisms by the end of January while U.S. and EU negotiators are attempting to hammer out an 11th hour agreement for a new Safe Harbor, Max Schrems has stated it is unlikely that there will be a workable solution to the privacy problem as it stands now.
What Do You Need To Know Today?
- Safe Harbor was initiated based on efforts that started in Europe as far back as 1980 when the OECD or the Organization of Economic Cooperation and Development generated seven key principles in the protection of personal data. Similar to the GARP principles, they were non-binding but gave countries and organizations directives to work towards in order to protect personal data from unauthorized use and distribution.
- By 1995, the European Union finally enacted legislation to protect personal data privacy known as the Data Protection Directive.
- By July 2000, US companies that complied with the principles and addressed a number of key questions, including being certified with the EU, were able to freely transfer personal information from the EU to the US and vice versa. This allowance came to be called the safe harbor ruling and has been the operating principle of most international companies working in both the US and Europe.
- In October 2015, U.S. Secretary of Commerce Penny Pritzker released the following statement in response to the European Court of Justice decision surrounding the Safe Harbor Framework: "Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. We are deeply disappointed in the decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy."
Safe Harbor 2.0 - What You Need To Know
- It is possible that European data protection agencies could start taking enforcement action against companies judged to be no longer in compliance with European privacy law. There are more than 4,700 companies that fall into this EU-US category.
- Organizations will be left to make decisions and agreements on their own – w/o a decision and agreement, if organizations need to share data across the pond they will need to generate internal, risk-based policies and procedures that they feel will assure they are in compliance with the EU data privacy requirements.
- Organizations will not only need to assess risks in their own organizations, but they will also need to assess and make decisions regarding their partners and contracted organizations, whether HR service organizations, cloud providers, Clinical Research Organizations. For each partnership and agreement, there could be a need for a different agreement, contract terms or other documented evidence of securing personal data, particularly that of potential EU-US data transfers.
- Potential disruption in cloud services and technology – with more and more organizations storing information in the cloud, whether the organizations are highly regulated like pharmaceutical and financial service companies or not, the decision to use the cloud for any data that could ever be perceived as being linked to, or directly representative of personal data will be continually re-examined and greater risks placed on such corporate data management decisions. US Commerce Secretary Penny Pritzker noted that more than 4,000 companies have benefited from Safe Harbor. If the two sides fail to reach an agreement, individual country data-protection authorities will be able to halt EU-US data transfers.
Like any new regulation, legislation or agreement of this magnitude, it should come as no surprise that organizations that could be impacted by such a change assess their organization for risks and take proportional actions to mitigate those risks as much as viable. While there are a lot of positive signals in the way the talks and discussions are going, the seas are not yet calm and organizations are right to be cautious and measured.