Last week the Court of Justice of the European Union (CJEU) struck down the Safe Harbor agreement (Decision 2000/520/EC) that’s been in place since 2000. The Safe Harbor agreement bridged EU and US laws and safeguards that govern the transfer of personal data* from the EU to the US. The recent judgment can have a major impact on businesses ranging from those that collect personal profiles of social media users (e.g., Facebook, Instagram) to employee personnel data collected by international companies.
What’s changed? Why has the Court of Justice changed its position on Safe Harbor? The core of the issue is the differing views on data privacy. The EU views data privacy as a fundamental right and has a broad view of sensitive** personal information. Conversely, the US doesn’t view data privacy as a fundamental right, and the definition of sensitive personal data is narrow and commercial. This contrast contributes to the justification used to strike down Safe Harbor. Language in the judgment clearly states the Court’s challenge with Safe Harbor is the NSA surveillance program. “The law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.”
Striking down Safe Harbor has created a lot of anxiety within organizations. At this point the decision has been made and the question becomes, “What does it mean to your business?” The answer to this question varies. Talk to the Legal and Privacy experts within your organization to gain an understanding of your position. Don’t assume the judgment means an immediate cease of personal data flow between the EU and US. Most organizations have model contract clauses in place that ensure the safeguard of personal data in accordance with Article 26(2) of the Directive**. The message is, don’t panic!
No one knows how this will play out in the future. The best case scenario is the decision will be reversed and Safe Harbor will be restored as-is. We all know there is a low probability this will happen. The worst case scenario is the decision will remain intact and Safe Harbor becomes a distant memory. The most likely scenario is the EU and US will continue negotiations and agree on modifications to Safe Harbor that protect both interests. Let’s call it Safe Harbor 2.0. The EU objects to mass and indiscriminate surveillance while the US remains adamant surveillance is needed to protect its citizens from today’s threats. Chances are common ground will be reached, the question is when.
From an IT perspective, the best approach at this time is to understand the implications of the worst case scenario. Understanding what EU personal data is stored on systems hosted in the US is the first step. The next step is identifying the plan and cost to segregate EU personal data and host it in EU data centers. This information must be used to educate leadership regarding the implications and what’s needed to comply. Segregating and re-hosting personal data isn’t a trivial task and can be quite costly, not to mention time consuming. W. Capra can assist with understanding the implications and plan development along with addressing security and hosting considerations.
Clarity on this situation has to come in a reasonable timeframe as businesses can’t be left in flux for an extended period of time. Until then, continue to work with Legal and Privacy experts in your organization. Stay tuned, and be prepared.
*Personal data is any information relating to an identified or identifiable natural person.
**The EU definition of sensitive personal data as “data revealing racial origin, political opinions or religious or philosophical beliefs, trade-union membership and data concerning health or sex life.
*** The main legal mandate in the European Union on data protection is Directive 95/46/EC1 of the European Parliament and the Council, also known as the Data Protection Directive (“the Directive”).
References:
http://www.export.gov/safeharbor/
http://ec.europa.eu/justice/data-protection/reform/index_en.htm