Why there’s no such thing as safe harbour

On 6 October 2015 The Court of Justice of the European Union ruled that the US safe harbour scheme is invalid. This is huge news, but what might it actually mean, and how could it impact European businesses and US tech companies?

Safe harbour was one of the ways the EC had approved to ensure that transfers of personal data from the EU to the US were compliant with EU data protection legislation. The ruling itself, driven amongst other things by the Snowden revelations, is pretty clear. The Court believes that safe harbour no longer affords data subjects ‘adequate’ protection.

This doesn’t necessarily mean that you’ll be breaking the law by using US Corporations, for now there are other mechanisms for ensuring transfers of data are legally valid including EC approved ‘model clauses’ in contracts and the explicit consent of the data subject. The position will become clearer in the coming weeks when the Commission issues updated advice following the Court’s ruling.

The ruling has been driven by three key things; Snowden revelations about the depth of US government access to data held by US corporations; The US Supreme Court ruling giving the US Government access to EU citizens data if it is held by a US corporation and the fact that it is not possible for a non-US citizen to bring a claim for misuse of their data in the US.

But there is some complexity. That pesky email Microsoft refused to hand over to US authorities is becoming more and more of an issue. That email led to the US Supreme Court ruling that the US government has jurisdiction over US corporations and their subsidiaries wherever in the world they are. That extends the scope of the ruling to cover not just transfers of data to the US, but also transfers of data to a US Corporation, even when the service they are providing is delivered from within the EU.

I have blogged before about the impending General Data Protection Regulations (GDPR), which are currently in Trilogue in Brussels. Those new regulations are going to mean huge change for the controllers and processors of data within the EU, the loss of safe harbour is only going to make that worse, with some commentators suggesting that the combination of all these factors increases the threat of a Balkanised Internet.

For the big US tech companies, this ruling could be terrible, but it probably won’t be. Providing the EU and US can manage to play nicely on this issue, a new way of working will be found, but for now, until the dust settles, placing any long term bets on a strategy that is reliant on using those companies represents a significant risk that your strategy will not be compliant with the Law.

Overall; if, as the controller of data inside an EU-based organisation, you are using the services of a US headquartered Corporation, you need to review your contracts. If you are relying on safe harbour you should, as a minimum, ensure your contracts have approved ‘model clauses’ added into them.

If the data you hold and process is particularly sensitive, you might want to consider changing the provider of services you use to one headquartered in the EU.

Dan Sutherland, CEO of Carrenza

Image source: Shutterstock/Maksim Kabakou