The framework that facilitated the exchange of customer data between Europe and the US is dead in the water. What happens now?
At the beginning of October, the European Court of Justice (ECJ) ruled that the Safe Harbor framework that enabled the flow of customer data from the EU to the US for the past 15 years is, in fact, invalid. The ECJ said that no American business could guarantee that personal data would be safe from the prying eyes of the US intelligence agencies, as required by the principles of Safe Harbor. This decision is final and cannot be appealed.
The change in regulation came as a result of a complaint filed by Austrian privacy activist Max Schrems against Facebook in Dublin. Those who have followed the case – mostly lawyers and fellow privacy activists – knew this outcome was possible.
Source: ThinkStock / PaulFleet
The instant demise of the framework caught businesses and privacy regulators by surprise, put transatlantic relationships at risk, and paved the way for future lawsuits. And it’s all the fault of Edward Snowden.
European regulators treat the issues of data privacy much more seriously than their American counterparts. The reasons are mostly historic: for example, Germany still vividly remembers Stasi, the surveillance apparatus of the Communist government. Other EU states with ‘Big Brother’ heritage include Greece, Italy, Portugal and Poland.
The EU had to find a way to make its citizens’ data available to US businesses for economic reasons.
The Safe Harbor framework was proposed by the US Department of Commerce and adopted by the EU in 2000. It outlined seven principles to give an “adequate level of protection” of data in a non-EU country, as per the 1995 Data Protection Directive.
Organizations must notify individuals that their data is being collected, allow them to opt out and, most importantly, make “reasonable efforts” to prevent loss of information.
But Safe Harbor enforcement has long been criticized as ineffective. The framework allowed self-assessment and just assumed that organizations would comply. The European Commission has no power to force American companies to submit to an audit.
Long term problems
In 2013, we saw the first reports of indiscriminate mass surveillance by entities like the National Security Agency (NSA). Especially riled were the Germans, after it emerged that their beloved Chancellor was targeted by US allies.
Companies need to be especially careful that they are not inadvertently breaking the law when using third parties
Toby Duthie, Forensic Risk Alliance
Activists pored over the documents published by The Guardian, The Washington Post and Der Spiegel, and Schrems realized his personal data could have been compromised so he launched a legal challenge in Ireland, where Facebook has its European base.
The Irish High Court realized the case’s importance and referred it to the ECJ, which sided with Schrems, creating a legal limbo. In a nutshell, the court told privacy regulators across Europe that they should ignore the framework approved by the European Commission and look at the facts, suggesting that American businesses cannot be trusted due to the activities of the NSA.
The Irish Data Protection Commissioner will have to decide whether Facebook has adequately protected European user data, and whether it should block transfers of such data to the US – and this might be the first of many such cases. This could affect any business that uses infrastructure in the US to process EU citizen data. European regulators said they will not take co-ordinated enforcement action, at least until the end of January 2016, but in the meantime they will be required to respond to user complaints.
“The judgment means that businesses which use Safe Harbor will need to review how they ensure that data transferred to the US is done so in line with the law. We recognize that it will take them some time to do this,” said David Smith, deputy commissioner at ICO, the British privacy watchdog, adding that some transfers already take place based on different provisions.
American businesses have several options, the easiest of which is to simply move their data processing to Europe. Alternatively, they can negotiate agreements that satisfy European regulators (see box).
If none of these measures are in effect, and personal data is still exchanged, a business could be taken to court by its customers. “This puts a profound burden on companies – and more than 4,000 have been relying on Safe Harbor provisions – to ensure they are not breaching EU data protection laws when they transfer data to the US. Companies need to be especially careful that they are not inadvertently breaking the law when using third parties – such as outsourcing companies and specialist IT providers,” commented Toby Duthie, partner at Forensic Risk Alliance.
“This will complicate the regulatory environment in Europe and affect how corporate entities and their advisors analyze data for marketing, fraud prevention and response to litigation,” he said.
Source: Thinkstock / PaulFleet
Danger for medium-sized firms
“The biggest casualties will not be companies such as Google and Facebook, because they already have significant data center infrastructure in countries like the Republic of Ireland. It will hit medium-sized, data-heavy tech companies that don’t have the resources to react to this decision,” warned Mike Weston, CEO of data science consultancy Profusion. “Many of these businesses will reconsider how and whether they operate in Europe, which is bad news for everyone.”
A replacement may emerge, somehow taking intelligence agencies into account. By the time the ECJ announced its decision, the EU was already in negotiations with the US to develop a revised set of principles that could replace Safe Harbor. But the demise of Safe Harbor is not the only thing on the European lawmakers’ minds.
The European Commission is working on an updated General Data Protection Regulation – likely to be approved by the end of 2015 or early 2016. This document is expected to introduce even stricter rules and give significant powers to EU regulators, with the European Parliament able to levy fines for non-compliance of up to €100m, or five percent of global turnover. For Facebook, that could be as high as €500m.
Seriously, just get that data center in Europe.
This article appeared in the November 2015 issue of DatacenterDynamics magazine
What are the options for American businesses?
- They can simply move processing to data centers in Europe.
- They can use one of four ‘model contract clauses’ approved by the European Commission to satisfy privacy regulations, without having to make their own assessment of data protection measures.
- Larger organizations can adopt Binding Corporate Rules (BCRs), specifically designed to allow them to transfer personal data, although the related policies and procedures have to be approved at a European level – a process that could take some time.
- Some online retailers can obtain direct consent to data transfer by simply asking their users.
- Pseudonimization, or anonymization, of data is another way to operate within the law.
If none of these measures are in effect, and personal data is exchanged, a business could be taken to court by its customers and partners.