Safe Harbor was an agreement between the US and the EU designed so US organizations could transfer EU citizen Personally Identifiable Information (PII) over the Atlantic while complying with EU rules and regulations regarding data privacy.
Under Safe Harbor, US organizations could “self-certify” that they were compliant with EU data rules and regulations. However, Safe Harbor was recently struck down by the EU’s highest court in large part due to the US government’s own philosophies and behaviors when it comes to company data. In addition, EU officials never fully supported the self-certification program as well.
So this begs the question, should you be worried about the EU courts decision to strike down Safe Harbor? Well, we think there’s several reasons why you should be paying attention, here’s 3 that stand out among the rest.
Reason #1 — The Broad Definition of PII
If you store or transfer any EU citizen PII data to the US then you need to be compliant with their rules. The hardest part about PII is that there is no singular definition of what it is, even within the EU. In fact, in some countries, even social media handles are considered PII.
Here’s just some of the forms of PII in certain countries:
- Identification Numbers
- Email Address
- Business Address
- Social Media Posts
- Twitter Handle
- Credit Card Info
- Phone Number
By the way, it doesn’t matter if this information is encrypted or not, if you store it, you need to comply.
Reason #2 — The Urgency of Implementation
This is happening now. The EU informed the US government that they have until January 2016 to agree to a new policy, which is unlikely, before the Data Protection Authorities (DPAs) will “take all necessary and appropriate action, including coordinated enforcement action.” The EU’s Article 29 Working Party also “urged businesses to consider putting any legal and technical solutions to mitigate any possible risks they face when transferring data.”
In fact, there are some reports out there that Germany might already be monitoring the manner in which some companies store and transfer data to the US.
Reason #3 — No New Policy Expected Soon
Safe Harbor allowed the US and EU to conduct online business, so striking it down makes that harder, and the EU admits that and has pressed the US to work with them to come to some agreement. Reports coming out of Washington DC indicate that it is happening.
However, that doesn’t mean the policy should be expected soon. The problem here isn’t cooperation, it’s a difference of philosophy. The US believes in security, and the government feels it has the right to acquire citizen data to protect itself. In the EU, this is forbidden and the fact that EU citizen data might be accessed by the US government doesn’t sit right with their highest ranking officials.
This isn’t something a policy can fix. Under the Safe Harbor agreement, the US showed it didn’t prioritize that relationship.
In fact, even if a new policy between officials on both sides of the ocean gets agreed to, it might not stand in the EU’s highest courts. Per Arstechnia:
What is needed, the NGOs write, is for privacy laws themselves to be updated on both sides of the Atlantic in the light of the CJEU judgment … which call for “the end of mass surveillance by intelligence agencies”, and “the establishment and modernization of legal frameworks that protect fundamental rights,” among other things.
Overall, if there is an agreement, look for it to be put under a microscope and carefully examined before it becomes law.
Concluding Thoughts and Solutions
Because this is a big deal for anyone who does business with the EU, SmartFile built a guide of FAQs to help you worth through potential solutions for your business. You can download it here!