16th Oct // 2015
Just over a week ago today the European Court of Justice made a potentially landmark ruling: the “Safe harbour” agreement which governs the transfer of data from Europe to the US is invalid.
In case you haven't heard of Safe Harbour before, it is (was?) a scheme that allows companies to register and certify that they will protect the data of European citizens when physically stored in America. The need for this agreement has a lot to do with the difference between EU and US laws on personal data, with the European Union generally providing a higher level of personal protection under the Data Protection Directive 95/46/EC.
The agreement has been reviewed because of a legal challenge by Max Schrems, an Austrian privacy campaigner. Mr Schrems made a complaint around the processing of his data by Facebook as he was worried that American federal government agencies could access his data with no regard to the EU-US scheme - concerns present due to information released in 2013 by Edward Snowden. It was found that the agreement did not, in the opinion of the European Court of Justice, satisfy all of the guarantees set out in the original European directive.
Now that the agreement has been deemed invalid companies should effectively stop transferring data between the EU and US, even if previously covered by this agreement. It seems that many larger companies such as Microsoft and indeed Facebook believed they have already covered their own backs through contractual clauses such as what Microsoft refers to as, “additional steps and legal safeguards we have put in place”. The worry now concerns small and medium sized businesses, who transfer data between the two territories but may not have these additional legal steps in place. Many of them have been relying on the 15 year old agreement with little thought, but maybe that's part of the issue? A re-ignited conversation about the privacy of our personal data can only be a good thing, right?
Interestingly enough the US Department of Commerce are still administering the Safe Harbour program and as of today are still accepting new submissions from businesses wanting to self-certify. They, like many others, seem to be waiting for somebody to provide an alternative, but this could be a while off. A new version of Safe Harbour has been in the works for a few years now but there has been no indication as to when this will come to fruition. It's possible that this recent ruling will spur the involved parties on to finalise that agreement to create a new catch-all solution for cross-Atlantic data transfer.
Any businesses who transfer data between the EU and America concerned about the implications of this ruling should first consider why they do this regularly. If it's due to servers being located in America, why not consider a hosting solution closer to home?