Why are the long standing US safe harbor privacy data jurisdiction provisions now suddenly ‘not-so-safe harbour’ provisions?
Mr Max Schrems, an Austrian national and digital activist was concerned that Facebook could not guarantee his privacy as his personal data was located in the U.S.
He lodged his complaint to the Irish High Court (Facebook is registered in Ireland). In turn, the Irish High Court referred the case to the European Court of Justice (ECJ) for a ruling.
On the 6th October, the ruling of Maximillian Schrems v. Data Protection Commissioner (C-362/14) resulted in the long standing safe-harbour agreement being struck down.
U.S. Cloud no longer under ‘Safe Harbour’
Put in place some 15 years ago, the U.S. – European Union (EU) ‘safe harbour’ agreement was intended to overcome the different approaches to managing on-line privacy between the U.S. and the EU.
In essence, EU resident’s personal data (including personnel records of employees) could be transferred to the U.S. provided that the U.S. firms implemented security and privacy controls that met, or exceeded the requirements of the EU’s data-protection directive (i.e. “safe harbour”).
The European Court of Justice’s October 6th ruling has significant implications for any organisation that deals with private data involving EU subjects where the data is located in the jurisdiction of the U.S.
Old laws for the new world?
Since the U.S. – European Union (EU) safe-harbour agreement was established, the digital world has fundamentally changed. Since 2000, the volume of digital traffic globally has exploded, fuelled by the uptake of Cloud and related internet services – many of which are based, or at least co-located in the U.S.
The reality is that legislating in areas such as data retention, data breach or privacy in our fast-moving and shadowy digital world is a constant struggle. For any legal and regulatory mandates to be effective, they rely on considerations such as the deterrence factor, the protections afforded under the law, and the practicalities of enforcing the law.The effectiveness of all three is to be questioned in our volatile, borderless, digital world when it comes to data security.
However, in the case of this long standing EU – U.S. safe harbour provision, this legislation has underpinned the growth of U.S. based Cloud and other IT outsourced services, where the data is located in the U.S.
Remove that ‘protection’, what’s the problem?
Business Implications – What implications?
Any company that has been relying on the U.S.-EU Safe Harbour certification for their business is directly affected by this ruling.
“….pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” ~ Court of Justice of the European Union – PRESS RELEASE No 117/15
While this ruling specifically cites the services offered by Facebook, the striking down of the safe harbour provisions has a direct knock-on effect for other organisations and individuals.
The bottom line: Any business that deals with data subject to privacy legislation – whether they be a Cloud / IT services provider or client organisation – need to carefully assess their exposure in respect of this ruling. Your cloud provider’s supply chain may hide the fact that you may be impacted. Better to know the facts than assume.