A few years back, an unknown Austrian student, Max Schrems, lodged a formal complaint to the Irish Data Protection Commissioner, about concerns he had around Facebook's transfer of European citizen data to the US, and the access given to the NSA and other Federal agencies, for the purpose of state security.
Unable to get satisfaction through the Irish Commissioner, Max pursued this concern through the courts until eventually getting a final arbitration on the matter by the highest legal authority in Europe, the European Court of Justice (ECJ).
Today, the ECJ has found Safe Harbour to be invalid, indicating that it provides insufficient protection for European citizens. This decision has been found on the back of the court's investigation around the unprecedented level of access US authorities had to European citizen's data.
So, what does this mean?
The impact is, frankly, seismic. Whilst the scope of the findings focused on Federal agency access to data, the invalidity of Safe Harbour now impacts all U.S. businesses which are processing European citizen data outside of the European Economic Area, as well as European businesses using third party providers domiciled in the U.S. and for whom Safe Harbour had been the defined, legal route through which they were processing data.
With Safe Harbour now effectively dead, those organisations currently operating under its former aegis, will now need to rapidly fill a legal gap, which otherwise may create unpalatable consequences.
What are those consequences?
Firstly, those operating solely under Safe Harbour are now no longer able to provide minimum, and adequate protection for the personal data under their responsibility. This introduces a range of legal and reputational risks, which companies are becoming less inclined to accept.
Secondly, for those who have operated completely outside the law, to date, will likely find themselves in the limelight and having to answer some tricky questions, now that Safe Harbour and its death are front page news throughout the European Union.
So what should I do next?
Regardless of whether you are in either camp, mentioned above, the immediate answer is a legal one, for now. For other countries operating outside of the jurisdiction of the European Union, there is a type of contract which is considered legally permissible, and it is a 'Model Contract'. The primary purpose of the 'Model Contract' is to ensure adequate protection of European citizen's rights under Data Protection, in jurisdictions where the same basic principles are not currently in place.
The 'Model Contract', however, is a very legal approach to the practical problem now facing U.S. companies. It's approach is very theoretical and embedded within the higher level concepts of privacy and is not embedded within practical day to day data management. Companies will also be forced to now put in place more defined controls around their processes to ensure compliance. This will involve change management, and cost.
As this is now front page news in Europe, U.S. companies and those within the E.U. who send data over to the former as part of their own daily processing, will now face a new challenge, competitor and social pressure.
What is competitor and social pressure?
Within the E.U. citizens are becoming more aware of their rights, and they are exercising them more frequently. They are prepared to question and to challenge, and, frankly, to take their business elsewhere if they are not confident. Brand trust is of huge importance in consumer decision making.
In addition, competitors are using your weakness to win your customers from you. Undoubtedly there will be some who will seek to take advantage of the chaos that the ECJ decision will bring, over the coming months.
Companies will, therefore, need to move quickly and confidently, ensuring that they control the communication around this event as much as the actions taken to ensure business as usual.
How can PrivacyEngine help?
Two ways. Firstly you can find templates for the 'Model Contract' in our content, when you sign up for either the free trial or purchase a package. Those who subscribe can also engage with our experts, online, to begin and complete the process of getting this contract in place.
Secondly, the primary thrust of PrivacyEngine is to help organisations use Data Protection compliance to gain business advantage. Effective engagement through our subscription service will quickly aid your organisation in understanding more about how to put this advantage in place, and gain more business, and consumer confidence.