A 15 year old pact which made it simpler for tech giants to send personal data from the EU to the US has now been ruled invalid.
The European Court of Justice has stated that the Safe Harbour agreement does not eliminate the need for European data watchdogs to check that US firms are taking satisfactory measures to protect the nformation.
The court also added that the ruling meant Ireland’s regulator needed to decide if Facebook’s EU to US transfers needed to be suspended.
What is Safe Harbour?
The safe harbour agreement came into effect in 2000 and was designed to provide a ‘streamlined and cost effective’ method for US firms to transfer data from Europe without breaking its rules. Currently, the EU forbids personal data from being transferred to parts of the world that do not provide adequate privacy protections.
More than 5,000 US companies currently make use of the arrangement to facilitate data transfers.
What are the implications of this ruling?
Personal data should now not be transferred to US bodies solely on the basis that they are Safe Harbour Certified. The two bodies involved must draw up and sign a model contract clause’ which sets out the US organisation’s privacy obligations.
“It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” commented Nicola Fulford, head of data protection at the UK law firm Kemp Little.
“The model clauses themselves are standard form – what you need to put into them are details of the data involved and the security steps being taken.
“It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.”
It is anticipated that the new ruling will have a wide impact over businesses of all sizes.
“It’s not just about companies whose core activities is data processing – i.e. the Facebooks of the world – it’s the companies who don’t have data processing capabilities of their own and transfer personal data abroad to get it done,” explains Allie Renison from the UK’s Institute of Directors.
“So, if you’re a company that sends payroll data for administrative purposes across to the US, [it] becomes an issue. Likewise, it affects you if you’re a firm trying to send over data about your customers for a marketing campaign.”