Safe Harbour has been ruled invalid – so what now?

Steve Evans

Tuesday 1 December 2015

The European Court of Justice recent ruling has rendered the Safe Harbour framework invalid, so what now for European businesses and data transfers to the US?

A recent ruling by the European Court of Justice has proclaimed the Safe Harbour agreement invalid.

The framework, used by as many a 5,000 businesses, including the likes of Facebook and Google, allowed companies in the US to self-certify that they had the systems and processes in place to guarantee the protection of personal data. This means they could bypass European laws – which prohibit personal data from being transferred to places that do not provide what it considers adequate protection of data – in order to get data from Europe to the US.

The ruling followed a challenge by privacy campaigner, Max Schrems, who targeted Facebook over its transferring of personal data back to the US. The ruling claimed the NSA would be able to routinely access personal data of European citizens once that data had been transferred to the US.

There’s no doubt this ruling will have huge implications for companies that operate in both the EU and the US. With cloud computing and the increase in mobile technologies, the transfer of data is a necessity for many businesses. And, while Safe Harbour was a quick and cost-effective way to transfer data to the US, the new rules mean businesses across Europe will have to reassess their data transfer protocols.

Mind you, it’s not exactly as if this has come out of the blue; the original Safe Harbour challenge was referred to the European Court of Justice over a year ago, and, according to the BBC, the US and EU have been negotiating for a number of years regarding updating the Safe Harbour agreement.

However, until a new agreement is outlined, businesses still have to work out how to safely transfer data across the Atlantic without breaching any data protection laws. One potential option, suggested by the ICO in the UK, is the use of Model Contract Clauses (MCC). This is essentially an agreement signed by the company processing the data outlining the steps it has taken to safeguard the privacy of that data.

Another alternative is Binding Corporate Rules (BCRs). Similar to the MMCs mentioned above, BCRs enable a company to commit to treating personal data in a certain way, which means the data can subsequently be transferred in a safe and secure way.

The invalidation of the Safe Harbour framework will rightly be seen by many as a boost for privacy, since, as the ruling made clear, data transferred under the agreement could be very easily accessed by the NSA. However, many of the companies using Safe Harbour were doing so for legitimate reasons. All the same, until a replacement for that framework is ratified, they may well find themselves stuck for the best way to transfer data from the EU to the US.


Building the next-gen data centre

Where traditional and web-scale apps co-exist