No more Safe Harbor – What this means for European companies
Yesterday, the European Union’s highest court struck down the 15-year-old “Safe Harbor” agreement. Its downfall, with immediate effect, has opened a new era in the digital world. Not only major tech companies, but each and every small and large business in the EU has to adapt – right now. To understand the decision and cope with its fallout, read on.
Our CEO, Istvan sees this as a step in the right direction: “We at Tresorit welcome the decision to strike down the Safe Harbor agreement. It provided a false sense of privacy to users around Europe. End-to-end encryption is the only “adequate” protection for personal data. This technology ensures that the user has the final say on who accesses their data.”
What is Safe Harbor? Why did the EU strike it down?
The European Highest Court prohibits transferring EU citizens’ personal data to 3rd countries (outside the EU), where local laws do not provide adequate legal protection.
US privacy laws are not adequate, so EU companies are not allowed to transfer any personal data to the US. The Safe Harbor framework was an exception: it allowed EU companies to transfer and store EU citizens’ personal data to US companies that self-regulate themselves and agree to meet Safe Harbor principles.
Yesterday, the Court stated that even Safe Harbor principles do not provide adequate protection for EU customers’ data. Therefore ‘Safe Harbor’ – and processing data in the US – exposes EU citizens to serious privacy threats/risks and should be suspended, immediately.
What is the implication of the decision?
Private individuals are free to decide to store their data with US-based companies, at their own risk. But companies cannot transfer EU customers’ personal data to the US without the customers’ consent.
A customer name, email or home address, employee’s HR data, health information or any documents containing such data falls under this regulation.
As a result of the new rules, the 4400 services that transferred data under the ‘safe harbor’ agreement should be avoided if you want to store, process or share personal data about your customers, employees or business partners.
This applies to all EU-based companies, so for example:
• a German hospital cannot use US web-based service to process patients’ data
• a UK firm cannot store HR data about employees in Box or Google Drive
• Facebook Ireland cannot share consumer data with US based Facebook Inc.
• A multinational’s German subsidiary cannot share their German customers’ or employees’ personal data with its US branch
What should I do?
The implications of the decision are fuzzy, as there is no “grace period”. The decision applies right away. EU businesses can be held responsible for the services they use for processing customer data.
To minimize risks, businesses’ best choice is to use EU-based services, where the customer data is never processed in the US. Since it’s hard to understand what happens ‘behind the scenes’ in a tech company, it’s best to go with end-to-end encrypted services – as these make sure no one can access data, even if it ‘accidentally’ ends up in the US.1
1As an EU company, there is one exception that lets you stick to the currently used US services. You need to consult your home country’s data protection authority and get them to review and approve the safeguards you individually put in place to protect the customer data transferred to US. A lot of administration plus a big hassle – without guaranteed success.