Another year is almost over and there is still no sign of the new EU data protective directive. However, there have been some significant developments including the recent European court ruling in response to the validity of US Safe Harbour rules. This has left many US companies facing the headache of how to manage client data outside of the EU.
What is Safe Harbour?
Safe Harbour was the name given to a policy agreement established between the US and the EU in November 2000. It regulates the way US companies export and handle the personal data of European citizens while adhering to the stringent requirements for the transfer of personal data outside of the EU.
The Safe Harbour agreement established a framework as a compromise solution between US and EU privacy procedures. All European member countries were subject to the agreement which allowed data transfers without the authority of individual countries. US companies that did not join Safe Harbour had to obtain authorisation separately from each European country. In simple terms the agreement regarded US companies as an extension of the European Economic Area (EEA) implying they were trusted to safely transfer personal data. Safe Harbour was designed as a “streamlined and cost-effective” way for US companies to get data from Europe without breaking its data privacy rules.
As a result of the Snowden revelations a European privacy campaigner, alleging the US Government gained access to data relating to European citizens from US technology companies, asked the Irish Data Protection Commission to audit what material Facebook might be passing on. Initially he was rebuffed, being told it was all covered by Safe Harbour. However, the campaigner took the matter to the European Court of justice. They ruled that the Safe Harbour agreement did not eliminate the need for local privacy watchdogs to check US companies were taking adequate data protection measures. This effectively invalidated the Safe Harbour agreement.
Whilst the implications of the ruling will be played out over the coming months, the implications are clear. There are currently some 4000 companies relying on Safe Harbour who will have to reconsider their data flow architectures and look at alternatives for approving data transfers. This will include EU model contract clauses and Binding Corporate Rules (BCRs) even though these can involve lengthy approval process by European regulators.
As a result of the ruling the Irish Data Protection Commission has at least agreed to investigate allegations that Facebook was making personal data available to US intelligence agencies.