There has been a lot of news about the recent change in the Safe Harbour ruling over the past couple of weeks, but we wanted to make things very clear and very easy to understand.
Prior to the news in October, Safe Harbour was an agreement between the Euro Commision and US Government, which promised to protect EU citizens’ data if it was to be transferred by American companies and stored in the US.
An example of this is Facebook and the agreement allowed the company to transfer data from the EU into a US data centre, as long as it self-certified that it had adequate privacy protections that are in line with EU regulations.
However, it was Facebook that was taken to court by Max Schrems, a Facebook account holder and privacy activist from Austria, who campaigned against Facebook, stating that the EU’s Safe Harbour ruling is a:
“Puzzle piece in the fight against mass surveillance, and a huge blow to tech companies who think they can act in total ignorance of the law.”
While “total ignorance of the law” may be a bit strong, if you are an organisation operating outside of the EU and relying on personal data for business decisions, any transfer of data on EU customers to the US is technically illegal and a breach of data protection regulations.
What you should do if this new ruling effects you
Straight away, you need to review how your data is transferred to ensure it’s in line with Safe Harbour Part 2 (new guidance will be issued in the next few weeks.)
Start thinking about where your data is being held, be it in a data centre or in the cloud - the new ruling has given the data regulators of individual countries the power to challenge the transfer of data from their own country! Countries now have the power to state that data on their residents is stored strictly within their own country, something that Russia has done recently.
We also recommend that you review the need to transfer data, as well as get a good understanding of your service contracts. You may need to invest in data centres within the country that the data originates, which although adds cost, will provide peace of mind.
Are you outsourcing your data management? If so you may want to think about whether you have a contractual agreement on where the data is held and talk to your data management provider to ensure they are aware and acting upon the new Safe Harbour ruling.
If you have any questions about the Safe Harbour ruling, what it means for your business and what you need to do now, don’t hesitate to contact a member of our team who will be able to help you.