How will the Safe Harbor ruling effect your business?
Last week, the European Court of Justice (CJEU) ruled the ‘Safe Harbor Privacy Principles’ invalid.
This decision was reached after Max Schrems, an Austrian citizen, filed a complaint with the Irish Data Protection Commissioner, asking them to prohibit Facebook from transferring his personal data to the US after Edward Snowden claimed the US did not adequately protect personal data from NSA surveillance activities.
The ruling has potentially far-reaching consequences on businesses who transfer data across the Atlantic.
Last week, the European Court of Justice (CJEU) ruled the ‘Safe Harbor Privacy Principles’ invalid. This decision was reached after Max Schrems, an Austrian citizen, filed a complaint with the Irish Data Protection Commissioner, asking them to prohibit Facebook from transferring his personal data to the US after Edward Snowden claimed the US did not adequately protect personal data from NSA surveillance activities. The ruling has potentially far-reaching consequences on businesses who transfer data across the Atlantic.
What are the ‘Safe Harbor Privacy Principles’?
To explain them and their potential importance to your organisation, we need to go back to 2000 when the ‘Safe Harbor Privacy Principles’ were introduced to help US companies comply with the EU Directive 95/46/EC on the protection of personal data.
The right to privacy for citizens inside the European Economic Area (“EEA”) area is more rigorous than in places outside of Europe. The EU Directive 95/46/EC forbids the transfer of personal data to a country outside the EEA unless that country has adequate data protection measures in place.
The ‘Safe Harbor Privacy Principles’ allowed US companies to store data from EU companies in the United States without violating EU, and therefore UK, data protection laws.
Companies who opted-in to the ‘Safe Harbor Privacy Principles’ had to register with the U.S. Department of Commerce and agree to a host of privacy principles approved by the European Commission in 2000.
After agreeing to the principles, an organisation must undertake a re-certification audit every year. The audit involves undertaking a self-assessment to verify that they comply with the principles. Alternatively, they can appoint a third-party to perform the assessment.
The European Court of Justice ruled the principles were invalid after Edward Snowden's NSA leaks showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe. It was established that US federal government agencies could use the data under US law, but were not required to opt-in to the principles.
How does this effect your business?
As we have established, UK companies are not allowed to send personal data to countries outside the European Economic Area unless they guarantee adequate levels of protection. The ‘Safe Harbor Privacy Principles’ allowed the US to be one of the only countries outside of the EEA who could be considered to store data for European organisations. Whilst its legitimacy was not universally accepted, even before last week’s ruling, this has now effectively ruled the U.S. out as a legal place to store any European data that is subject to data protection laws.
As of last week, if a UK or EU company stores customer/patient/employee data with a company in the US, they are not compliant with EU Directive 95/46/EC on the protection of personal data and are therefore breaking the law.
Effectively, it means if you are using a service such as Survey Monkey (located in Palo Alto, California) or Google Forms (located in Mountain View, California) for data capture or information on your customers/patients/employees is held in data centres in the US, you are risking a fine from the Information Commissioner’s Office (ICO).
What happens next?
In the short term, the invalidation of the ‘Safe Harbor Privacy Principles’ has caused many companies to review their data flows and ask themselves what data is used, where the data originates from, where the data goes and what is its purpose.
UK companies may want to consider using a UK based cloud service for data storage or an on-premise data capture solution such as TeleForm. Depending on the tier, TeleForm can be installed on a single workstation for the desktop version or a UK server for workgroup or enterprise.
Importantly, individual EEA citizens - whether disgruntled customers, past employees or members of the public - can now claim their personal data and EEA privacy law has been violated by US companies. Any claims must be investigated by data regulators whereas previously they could point to the ‘Safe Harbor Privacy Principles’ as proof of compliance.
As the ‘Safe Harbor Privacy Principles’ were accepted by the EC, it satisfied the requirements of all 31 EEA member states. Now invalidated, it may result in increased scrutiny on US companies by data regulators in individual European countries' who may ask to review transfers of their citizen’s data.To head this off, US companies may decide to host data in the European Union. In fact, several US organisations have recently invested in data centres in Ireland, possibly in an attempt to comply with the legislation directly.
However, in a separate development, Microsoft and US authorities are engaged in a court battle over information held at their data centres in Ireland. The US government held a warrant for access to eMails held by Microsoft of a person of interest in an investigation. Microsoft have claimed that nowhere in the U.S. Congress does it say that the Electronics Communications Privacy Act "should reach private eMails stored on provider's computers in foreign countries." The case continues with many observers eagerly awaiting a verdict which is not expected until next year. The case is being followed closely by Ireland which has 18 companies either in the process of establishing a data centre or significantly expanding their existing operations in an overall investment valued at €3.7 billion.
If the US government win the case, US companies may review their investment in Ireland. However, should Microsoft win, they – and Apple, Facebook, Google, IBM, Vodafone, eBay, Yahoo, BT, Eir, EMC and Equinix who all plan to develop data centres in Ireland over the next five years - can only then claim EU citizens’ data is stored in accordance with regulations.
One thing is certain; data cannot continue to be stored within the US. In addition, even data stored within the EEA by US based companies may not be safe. Consequently, our advice to EU/UK companies is to select only compliant companies that are owned and operated within the EEA to store and process their data.
If you have any questions about the ‘Safe Harbor Privacy Principles’, please contact us.