Europe’s highest court has struck down the Safe Harbor agreement, an international accord that since 2000 has allowed companies to move citizens’ digital data between the European Union (EU) and the United States.
The Oct. 6, 2015, ruling by the European Court of Justice called the agreement flawed because it allowed American government authorities to gain routine access to Europeans’ online information, according to the New York Times.
The court cited leaks from Edward J. Snowden, the former contractor for the National Security Agency, as proof that U.S. and British intelligence agencies had almost unfettered access to Europeans’ data, infringing on their privacy rights.
The court said data protection regulators in each of the EU’s 28 countries should govern how companies collect and use the online information of their citizens, the Times said. European countries’ views and rules on privacy vary widely.
The Safe Harbor agreement allowed for the exchange of personal data created by EU citizens – including information posted on social media, Google web searches, and even online purchases – between the EU and the United States as a matter of commerce, with the understanding that U.S. data custodians would properly protect such sensitive data so it would not be misused. There was an expectation that U.S. companies would provide the same privacy protections the data had in the region where it was created.
The decision originated as a complaint brought by Max Schrems, a 27-year-old Austrian student, who argued that Europeans’ online data was misused when Facebook was said to have cooperated with an National Security Agency program that reportedly gave the U.S. agency broad access to data collected by several American tech companies, including Facebook. Facebook denies that the U.S. government had unlimited access to its users’ data.
The court’s decision went into effect immediately and leaves companies such as Google and Facebook in legal limbo. Their services are still operational, and they said they believe other agreements with the EU should provide an adequate legal foundation.
Frans Timmermans, the first vice president for the European Commission, which will be policing the ruling, said businesses could still move European data to the United States through other existing treaties.
But those other agreements now will likely be reviewed and questioned by some of Europe’s national privacy watchdogs, the Times said, and thus make it more difficult for companies to transfer Europeans’ information overseas.
European privacy watchdogs have been divided over how to protect their citizens’ data. For example, France and Germany are among the countries that have pursued more aggressive protections for their citizens’ personal data. But Britain and Ireland, among others, supported Safe Harbor.
Last year, the European Court of Justice approved the “right to be forgotten” to protect online privacy, giving anyone with connections to the region the right to ask search engines like Google to remove links about themselves from online results.
ARMA International would emphasize that this ruling raises a number of issues for multi-national organizations. It is likely to be some time before there are concrete guidelines, let alone legal precedent or a Safe Harbor 2.0. But, there are a few common-sense actions an organization can take in determining how to respond:
- Assess your own level of risk. What types of personally identifiable information do you retain on EU employees or customers? Where is information geographically stored? Your information governance data map will help you answer these questions.
- Assess the business workflows surrounding the information: Is it possible to segregate the data so the relevant information can remain on servers located in the EU? Can the workflow be modified to avoid transmitting PII to the United States?
- Identify requirements specific to the countries in which you conduct business. Since this ruling indicates countries can establish their own levels of protection, it’s important to understand the specific requirements for the jurisdictions in which you conduct business.
- Determine what measures the organization can take to mitigate the risk. Depending on the types of risk identified, the mitigation measures might include implementing additional technology to provide added levels of protection, training employees to remind them of requirements, and modifying contracts with storage providers to add protections. It may mean negotiating with the data protection authority for each of the countries in which you conduct business.
- Monitor your mitigation measures for compliance. As the court indicated, in many instances, the companies claiming Safe Harbor protection never actually followed through on their commitment. So, as a good faith measure, you should establish meaningful metrics that can be monitored to ensure employees are following the guidelines.
While this ruling is a shock to the system for most multi-national organizations based in the United States, it is likely that additional rulings and/or guidance will be forthcoming to make the rules of engagement more definite for global business entities. In the meantime, take stock of your risks and implement common-sense solutions. You will likely have to tweak those solutions over time, but you will be served best by acting in good faith, based on knowledge that’s currently available.