Businesses are reeling this week from the news that the European courts have ruled that data transfers to the US via the 'Safe Harbor' agreement are no longer valid.

For digital marketers this news could spell trouble, with across-the-pond data movement being part of the modern digital landscape.

So is this the end of digital marketing as we know it, or just a storm in a tea cup?  

What did the Safe Harbor agreement actually do?

In EU law (from which the UK Data Protection Act is drawn), a Data Controller who needs to transfer data outside of the European Economic Area must do due diligence on where they intend to send the data.

They need to satisfy themselves that the data protection will be the same or better than provided within the EU. 

It’s quite an undertaking, because if anything goes wrong it’s down to the Data Controller to prove they took all reasonable steps to ensure the data’s safety. If they can’t do that, they could well have broken the law.

It also counts if the personal data belongs to EU Citizens and is being gathered by a non EU organisation, like Facebook for instance.

Enter Safe Harbor, an agreement between the EU and the US that allowed any organisation agreeing to its principles to be deemed adequate in relation to data protection.  

The principles of this agreement were developed between 1998 and 2000, with the European Commission rubber stamping the agreement in July 2000.

This allowed EEA businesses to export data to the US with a clean conscience. It also allows US companies to process data they have gathered on EU citizens.

So what does a US data processor need to do to belong to this exclusive crowd of data protection stalwarts?

It might go something like this:

US data processor:          

Hey Buddy, I want to join the ‘Safe Harbor’ crowd.

Buddy:                          

Ok, you’ve got to do something first.

US data processor:          

Right. so what might that be then?

Buddy:                          

See these data protection principles? Just say you agree to them.

US data processor:          

Is that it?

Buddy:                          

Yep.

US data processor:          

Ok... in that case, yes I agree, count me in!

No promises, no guarantees...

Lack of protection

To add to the lack of substance in the 'Safe Harbor' the Court of European Justice has ruled that the agreement is invalid due to other more fundamental reasons.

This is because, to paraphrase the court's ruling, the US authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.  

That suggests, that not only is EU citizens' data unsafe in the US, but US citizens are no better protected either.

The UK Information Commissioner’s Office (ICO) has already issued a statement saying that negotiations on an updated Safe Harbor are already in an advanced stage.

However, seeing that the Court of European Justice ruling cites a disagreement with what is a key US security policy, this process is likely to go on for some time. For now, Safe Harbor is finished.

What actions to take now!

Does this mean the end of data transfers and processing across the pond? What happens now?

Well, apparently you don’t need to panic, because there are a number of options available for organisations that rely on transferring data to the US. Actions you could take now:

  • Identify all of your personal data that goes to the US. This could be something like CRM systems or US-based service providers.
  • Review the terms of the suppliers to see who relies on the Safe Harbor.
  • See if you can make alternative arrangements, such as using the model contract clauses (available from the ICO website) or binding corporate rules if you are a global business.

There are likely to be many more options and advice in the coming weeks, from organisations such as the Information Commissioner’s Office.

Some service providers in the US have already issued new contracts including model contract clauses, which binds data protection on a contractual level.

What happens next?

At first glance, the demise of Safe Harbor will be little more than an inconvenience for many EU-based organisations.

But, if you are a US service provider who relied on Safe Harbor to rubber stamp the gathering of EU citizens' data (such as social media platforms), things might not look so rosy.

The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject.

But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection. 

And if they were informed, would they consent? 

And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.

Nothing short of a complete revision of the US security regime regarding the surveillance of foreign citizens will satisfy the EU regulations.

The EU regulations are formed on fundamental human rights, one of which is the right to a private life. That is not going to change, but it remains to be seen how far the US is prepared to compromise. 

The only certainty, is that the next few months will be very interesting.

Tim Roe

Published 13 October, 2015 by Tim Roe

Tim Roe is Compliance and Deliverability Director at Redeye International and a contributor to Econsultancy. Follow him on Twitter, Google+ or connect via LinkedIn

24 more posts from this author

You might be interested in

Comments (5)

Stuart McMillan

Stuart McMillan, Deputy Head of Ecommerce at Schuh

There may be trouble ahead...

Here's another example: How about if I have a spreadsheet of customers (that I'm using for analysis) and I use Google Docs or Google Drive, or any other cloud-based storage? I'm guessing this would now fall foul of the demise of safe harbour?

How many email service providers are based in the US?

over 2 years ago

William Yates

William Yates, Client Services Director at Novacom Corporation

Interesting post Tim, thanks. You may also find our post on this interesting too http://www.novacomcorporation.com/blog/2015/10/is-safe-harbor-sunk/

over 2 years ago

William Yates

William Yates, Client Services Director at Novacom Corporation

Hi Stuart,

My understanding is that Google has four data centres in Europe, and it is worth checking whether you can specify which data centres you data is stored on. I know you can do this with Amazon AWS, for example.

CRM systems like Salesforce sent out a copy of their 'model contract clauses' to all admins last week to aid with transfer of data across the Atlantic, and it is worth checking you have one of these in place for any email provider you use with data centres in the US.

I hope this helps!

over 2 years ago

Tim Roe

Tim Roe, Deliverability and Compliance Director at RedEyeEnterprise

Thanks for your comments. Trouble ahead? Yes certainly. I alluded in the post that there was no way short of a big policy change in the US that would make any transfer of personal data to the US, legal. Up to now, the DP organisations in member states, have chosen to ignore the full ramifications of the ECJ’s ruling in favour of facilitating cross border data transfers and “business as usual”.

However, yesterday the Independent Centre for Privacy Protection of the Federal State Schleswig-Holstein (“ULD”), published its position paper, stating that it did not believe that model clauses can be used as a basis for data transfers based on the ECJ ruling. Although the ULD’s position only impact on data processed in Schleswig-Holstein, now that someone has called out the elephant in the room, more will likely to follow.

The EU has been putting pressure on the US for years, to bring its DP laws in line with the EU and to ensure that data transferred to the US has the same protection as in the EU. Only a substantial change will fix this now. In the mean time, model clauses might not be legal, but its the best we've got!

over 2 years ago

Stuart McMillan

Stuart McMillan, Deputy Head of Ecommerce at Schuh

Well, it's not like there is a shortage of vendors for "product x", so perhaps we should only deal with those who have data centers in the EU and guarantee not to ship data outwith the EU... That would shake things up a bit!

over 2 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.