By Jason Anderson
Caveat: I am not a lawyer, and none of this is legal advice. It’s time to wake up your legal team.
For businesses that deal heavily in multi-national data, Safe Harbor offered a cumbersome but effective security blanket. The 15-year-old Safe Harbor agreement established guidelines for the legal transfer of EU consumer data to the United States, circumventing the EU’s much more aggressive security and privacy laws.
Thousands of companies take advantage of the Safe Harbor program, which explains why news of the European Court of Justice invalidating the program spread far and wide. From TechCrunch to Politico to the Wall Street Journal to the National Law Review, it seems that the end of Safe Harbor is a “big deal.”
Why all the fuss?
Bluntly: European law cares greatly about consumer data protection and privacy, while US law couldn’t care less. More broadly, European law has a robust set of rules and definitions governing privacy law, including a directive that only allows the transfer of personal data to countries that provide “an adequate level of protection.”
Safe Harbor was the negotiated program between the US and EU to assure those protections. Without a replacement, technically speaking, the transfer of any consumer data to the US would be against the law. That includes any personally identifiable information (PII) such as email addresses, contact information, or individual demographics – favorite subjects in consumer research.
What’s the risk?
At this particular moment, nothing has changed – the ECJ’s opinion is still only an opinion, and has not become a legal decision. But clearly the scales are leaning away from the current Safe Harbor framework; at a minimum, a “Safe Harbor 2.0” will be required. The greatest risks are (a) Safe Harbor 2.0 being substantially more expensive to implement for compliant businesses, or (b) no Safe Harbor program existing whatsoever.
Why is this happening?
The American ethos about the rights of the individual primarily focus on the relationship between citizens and their government. Laws protect rights to privacy, rights against unreasonable searches and seizures, and rights to free assembly, but in all cases the context for these laws are restricting the abilities of the government.
However, most privacy-related data exchanges take place between businesses and citizens. Yes, the government has its own interests (and violations of trust), but US law does not significantly restrict what Facebook or Google or retailers can do with your data. Once you check that box accepting your 20 page terms of service for your operating system, phone, or website, your rights have typically been transferred to the business that is vacuuming your data.
European perspectives on privacy extend to all spheres of society, including business and commercial interests. This is a fundamentally different point of view, and one that is unlikely to contract to the US definition: once a right has been given, it is not surrendered easily.
What happens next?
The exact outcome is very difficult to predict, so it’s time to begin your scenario planning. Three broad potential outcomes are possible:
- The final decision on Safe Harbor diverges from the recent court opinion, keeping the existing framework substantially intact. This seems to be the least likely outcome, but would be the least disruptive.
- The court invalidates Safe Harbor 1.0, and a Safe Harbor 2.0 program is negotiated. A limited window of time may be offered, to allow businesses to update their security and privacy protocols. In this scenario, companies will still be able to piggyback on a negotiated framework but will likely need to make some modifications to process and policy.
- The court invalidates Safe Harbor, and no replacement is negotiated in a reasonable timeframe. This “worst case scenario” returns the burden of EU-compliant data management to each individual business that operates in both regulatory worlds.