Safe Harbour ruling: Industry reaction and analysis

Earlier today, the European Court of Justice ruled that the safe harbour agreement allowing American companies to use a single standard for privacy and data storage is no longer valid.

This means companies such as Facebook and Twitter will face more scrutiny into exactly what information has been taken by American surveillance agencies, with up to 4,500 companies believed to be effected.

Responding to the ruling, various industry professionals have offered their thoughts and analysis.

Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings:

“The ECJ’s Schrems v Irish Data Protection Commissioner ruling has serious repercussions for multi-national companies with operations in Europe.

"Data Protection law in Europe provides that personal data may not be exported out of Europe unless certain conditions are met. More than 4000 US companies have so far enjoyed using the ‘safe harbor’ rules agreed between the European Commission and the US Department of Commerce which permit the easy transfer of personal data from Europe to the US.

"Many European data protection regulators, particularly those in Germany, have long believed that the conditions of the safe harbour scheme are not substantial enough and the effect of today’s ruling will empower them to investigate and check the acceptability of any data transfer themselves.

"In addition, although the case today primarily concerns safe harbor the ruling will also apply to other European Commission approved methods of transferring personal data internationally.

"Crucially, this case cannot be considered alone. Following the landmark case of Weltimmo last week, multinational companies that have elected to create an establishment in a more business-friendly jurisdiction are now likely to have their data protection practices scrutinised by local regulators all across the EU.

"There are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, so we may now see these complaints springing up from every direction, where data is being shared around the world."

Jonathan Perez, global privacy officer, BMC:

“The decision taken by the European Court of Justice is a clear message being sent out to the businesses that Safe Harbour can no longer be relied on. In today’s world where digital transformation affects every industry, it is of importance that individuals trust that their data is being adequately handled and protected.

"Safe Harbour is 15 years old and needed to be reassessed especially in view of the recent surveillance and data breaches which have brought suspicion on to it in the public eye. We believe that if we work with data, we must be accountable for data entrusted with us at a global level, and that it goes through getting adapted certification such as the Binding Corporate Rules (BCRs) which BMC has just received.

"The IT industry must embrace the change and go for a higher standard of protection. This will reassure consumers and ultimately customers, which will benefit the whole digital economy."

Andy Hardy, Managing Director EMEA at Code42:

"The ruling invalidating Safe Harbour is seismic. This decision will affect big businesses as well as small ones. But it need not be the end of business as we know it , in terms of data handling. What businesses need to do now, is safeguard data. They need to find solutions that keep their, and their customer's, data private – even when backed up into public cloud.

"The right technology will ensure data it is encrypted before it leaves the endpoint device, so that it cannot be decrypted in the cloud and hence remains private. More over, the best technologies will ensure that encryption keys are kept by our customers on-premise, so only they can decrypt the data and that no-one else can access it unless with prior direct request. This is the only way to ensure privacy in the public cloud post Safe Harbour."

Timothy Kirkhope MEP, European Conservatives and Reformists' spokesman on data protection:

"As politicians we need to work on concluding a set of international standards that allow the transfer and storage of data whilst empowering people to control how their data is used. We are abdicating our responsibility by allowing these matters to be determined in the courts.

"We are trying to make the EU single market go digital, yet the rules we have in place are being decided by judges, risking chaos and confusion that will stifle innovation. The EU and USA have different legal systems and I hope we can work together constructively to find a solution.

"The result of this ruling could be a patchwork of different regimes across Europe and different interpretations of how data should be stored and used. Court rulings often leave fragmentation in their wake which could be more damaging for businesses and consumers in the long run.

"Consumers and businesses just want some clear and consistent rules and so far we are failing in our responsibility to provide them."