In September 2015, the EU Advocate General (AG) ruled that the current Safe Harbor agreement between the United States and the European Union (EU) does not provide adequate protections for data privacy.
The AG stated that the entire agreement, in place since 2000, is invalid because its personal data protections are not strong enough.
The agreement helped foster US-Europe trade by providing a framework for compliance with personal privacy protection rules.
Most US-based businesses offering cloud services adopted the Safe Harbor provisions in their contracts and presumed that they are in compliance with privacy protection laws.
Now, however, US companies may be at risk if their technology suppliers are not compliant with the tougher standards.
This development affects any organization that utilizes a supplier of technology services in which data originating in the EU is stored or is transferred to the United States.
According to the Information Technology and Innovation Foundation, more than 3,000 businesses in the United States and the EU rely on the Safe Harbor agreement to protect them from violating EU laws (2).
EU and US regulators are expected to eventually issue new guidelines while a more comprehensive new agreement is negotiated to replace the now-invalid Safe Harbor.
The more near-term concern is that with the Safe Harbor agreement invalidated, privacy regulators could potentially take action against trans-Atlantic data transfers.
While the United States and EU are negotiating a new framework for data protection, organizations should consider the following actions:
If an organization is actively negotiating agreements with such suppliers, discuss alternatives to Safe Harbor.
Clients with Safe Harbor agreements will need to negotiate new terms and standards with each supplier to help ensure compliance with local laws, and that the organization is protected in the case of violations by the technology provider.
In some extreme cases, re-sourcing a supplier may be warranted if the supplier cannot provide appropriate levels of protection.
Stewart, Ian A. and Ross, Jeremy L. “Is Safe Harbor Still Safe? U.S. Companies Face Challenges Ahead on the EU Privacy Horizon,” September 29, 2015, The National Law Review. Retrieved from: http://www.natlawreview.com/article/safe-harbor-still-safe-us-companies-face-challenges-ahead-eu-privacy-horizon
Weise, Elizabeth, “Europe’s Top Court Rejects ‘Safe Harbor’ Ruling,” October 6, 2015, USA Today. Retrieved from: http://www.usatoday.com/story/tech/2015/10/05/european-privacy-ruling-could-hurt-us-companies/73422412/
Bodani, Stephanie, “EU-U.S. Data-Sharing Pact Is Invalid, EU’s Top Court Rules,” October 6, 2015, Bloomberg Business. Retrieved from: http://www.bloomberg.com/news/articles/2015-10-06/eu-u-s-data-sharing-pact-is-invalid-eu-s-top-court-rules-iff2hpgy
Federal Trade Commission: U.S.-EU Safe Harbor Framework. Retrieved from: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework