Unafe Harbor

After 15 years of tenuous operation and months of speculation, the EU/US Safe Harbor arrangement is sunk. According to SC Magazine:

"In a decision with widespread implications for the international transfer and processing of data - and the companies that provide these services - the European Court of Justice has ruled the EU-US Safe Harbour pact invalid. Experts are warning of massive disruption to international business."

Safe Harbor was formally implemented by the US Department of Commerce in July 2000:

"Decisions by organizations to qualify for the safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the safe harbor and publicly declare that they do so. For example, if an organization joins a self- regulatory privacy program that adheres to the Principles, it qualifies for the safe harbor. Organizations may also qualify by developing their own self- regulatory privacy policies provided that they conform with the Principles. Where in complying with the Principles, an organization relies in whole or in part on self- regulation, its failure to comply with such self- regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts. (See the annex for the list of U.S. statutory bodies recognized by the EU.) In addition, organizations subject to a statutory, regulatory, administrative or other body of law (or of rules) that effectively protects personal privacy may also qualify for safe harbor benefits. In all instances, safe harbor benefits are assured from the date on which each organization wishing to qualify for the safe harbor self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth in the Frequently Asked Question on Self-Certification."

Safe Harbor was never ideal from the EU perspective since it relied almost entirely upon trust. US organizations who voluntarily attested that they complied with the additional privacy requirements under EU law (over and above those required under US law) were presumed to have all the relevant privacy and data security controls in place, qualifying them to handle personal data on EU citizens. As far as I know, there were no independent inspections or enforcement actions to speak of. In contrast, EU organizations are legally obliged to have a range of privacy and data security controls based on those originally specified back in 1980 by the OECD.

The end of Safe Harbor is a problem for EU organizations that depended upon it to absolve them of blame if personal data on EU citizens was inadequately secured by various US organizations communicating, storing and processing it on their behalf. Many websites, apps, cloud services and so forth run in US data centers, and a fair proportion of them handle personal data ... so it will be interesting to see what happens next. My guess is that some US data centers or related organizations will seek audits and certifications confirming that they do indeed have EU-style privacy and security controls in place, while others may well lose their EU customers.