Data Protection Dilemma: End of US safe harbor?

Data Protection & Privacy.

The commonplace transfer of personal data out of the EU zone is now illegal – how it that going to affect us?

For fifteen years the US Safe Harbor Framework allowed US companies to self-certify that they would protect EU citizens’ data in the US. That all stopped late last week, as the ECJ ruled the “safe harbour” agreement is no longer valid.

I would guess that most consumers and even a fair percentage of folks within the digital industry never understood what Safe Harbor was and how implementation in Europe was dodgy to say the least.

Under EU law, citizens of Europe have some specific privacy and data protection clauses, specifically prohibiting the transfer of their details outside of the union. The US Safe Harbor agreement made between the EU, and the US government promised to protect EU citizens’ data if transferred by American companies to the US.

In real terms, it meant that companies such as Facebook, Google, Youtube, etc. could store data on EU citizens on their servers in the US – greatly simplifying compliance and streamlining costs. All that came to an end last week.

What does it all mean?

It may be a storm in a teacup but, in the short term, it means a lot of companies may be violating EU privacy regulations, and not just Facebook and Google. For example, if you use Mailchimp to send out weekly email newsletters in the UK then personal data on EU citizens is being held on US servers – and that’s now illegal.

The ending of the agreement should, in theory, ensure better data protection for EU users. It may also help stop the US government from being able to gain access to user data from the EU in the manner alluded to by Edward Snowden – at least not legally.

The big players will not be terribly inconvenienced, nor are users likely to even notice any change (except maybe a new “tick this box to agree to….” pop-up). It does mean a lot of paperwork and some rewriting of T&C’s on EU websites.

However, it will open the door to further investigation, complaints and lawsuits from users and data regulators. And as a result, it would be a wise precaution to audit where your users’ data is being held. No longer is the blanket “has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access” statement acceptable.