Earlier this week the Court of Justice of the EU (CJEU) ruled that Safe Harbour is invalid due to its lack of protection against mass surveillance by the US Government. So, what is Safe Harbour and what impact will this ruling have on UK citizens and businesses?
What is Safe Harbor?
European data protection laws mean that companies can only transfer EU citizens’ data to countries that provide an ‘adequate’ level of data protection. Because the US doesn’t meet this criteria an agreement was made with them in 2000 called ‘Safe Harbor’ which simply required the company to self-certify that they undertake the necessary steps to ensure data is protected. However, following several revelations including those from Edward Snowden regarding the US Government’s mass surveillance practices, the CJEU has now ruled that this agreement is invalid as it doesn’t provide adequate protection. This means with immediate effect companies transferring data between the EU and the US will be affected.
This all came about due to a court case launched by privacy advocate, Max Schrems, against Facebook in Ireland (where it’s European HQ is based) where he argued his privacy rights had been violated due to the revelations that the US National Security Agencies were accessing Facebook data held in the US. Despite his original case being rejected the CJEU has upheld his complaint and invalidated Safe Harbor. This ruling cannot be appealed.
Commenting on his victory he said: “I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy. This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible ... This decision is a major blow for US global surveillance that heavily relies on private partners. The judgment makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights."
How will the ruling affect the UK?
Safe Harbor is used quite widely by the more obvious large and well-known US companies such as Facebook, Twitter and Salesforce for example but also by a lot of smaller businesses. It’s estimated that up to 4500 US companies could be affected.
Obviously companies are not going to be able to implement the required changes overnight but we expect to see several new policies and practices being implemented over the next few months. The EU is reportedly already in the process of rewriting existing data protection laws and the European Commission was said to be negotiating a new agreement with the US to replace Safe Harbour. We expect further legislative changes and policies to be announced over the coming months to further clarify affected company’s requirements.
At present, affected companies appear to have 3 options:
Option 1 – Move to hosting EU citizen data in the EU instead of in the US. However this has obvious additional costs for the companies involved and could be very problematic as the company would potentially need to meet each varying EU country’s legal requirements with regards to data privacy.
The CJEU ruling also means that Individual European countries can now set their own regulations for US companies' handling of citizens' data, which could significantly complicate regulatory compliance for international companies. EU countries can also choose to suspend data transfer to the US, forcing the company to host their data within that country. Russia introduced a similar law recently which means data on Russian citizens must be held in Russia.
Option 2 – Directly seek the ‘free and explicit consent’ of the data subject but this will be very difficult to do especially where existing relationships exist. Also, if people don’t consent – then what? Potential problems have also been discussed around the ‘free and explicit’ requirement of this option. For example, where an employee is asked for consent they may feel pressured to comply by their employer- negating the ‘free’ and making the consent invalid.
Option 3 – This is probably the most likely option to be used by the majority of businesses - Model Clauses. These are pre-approved clauses that can be added into contracts (new and existing) to cover the new requirements.
It appears most of the larger US based companies already have backup plans in place to cover themselves against this ruling and so they and their UK based customers will likely see little to no changes. However, many smaller companies might not be so well protected and may need to adopt one of the above options quickly to ensure their compliance.
As a UK citizen or business you may find that any US based companies you (or your customers) use such as Facebook, CRM providers, cloud hosting services etc will be in touch to advise of their own plans and policies. If not, it may be something you wish to contact them about to discuss in more detail. As a service provider (of US based cloud hosting services for example) or through your own use of US based CRM systems etc you may start to receive enquiries from your own customers and staff regarding this ruling so it’s important you are aware of the issue and the plans in place by your suppliers.
However, we think further legislation and agreements are inevitable over the next few months as companies and the EU work to find a resolve for this.
Have your say!
Will you and your business be affected by this ruling? Have you already started to receive updates from your suppliers about this or enquiries from concerned customers? Do you think most people are aware of the ruling or not? Share your experiences by leaving us a comment below.