Safe Harbour agreement ruled invalid – Part 1
On Tuesday 6 October, the European Court of Justice ruled that the safe harbour agreement designed to ensure the security of EU citizens’ data was invalid. This is a judgement with far reaching consequences for businesses on both sides of the Atlantic.
The Safe Harbour agreement was introduced in 2000, enabling US companies to store data on EU citizens, despite significant differences in data privacy requirements between the EU and the US. Safe Harbour provided a single legal framework for the transfer and storage of EU citizens’ data to the US by US based companies, simplifying the legal landscape for firms.
Without the Safe Harbour agreement, US firms would have been required to meet data privacy obligations defined by each European country with respect to its citizens’ data.
The validity of the agreement was brought into question when a complaint regarding the security of Facebook data from the NSA was raised to the Irish Data Protection Commissioner by a law student, Max Schrems. It was rejected, but Schrems took his complaint to the European Court, resulting in this landmark ruling.
The European Court ruled that the Irish Commissioner must now review the case, to determine whether transfer of personal data to the US “should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
The impact of this ruling is global, and with the rise of cloud services, huge volumes of European citizens’ data are stored outside of the EU, under the auspices of the Safe Harbour agreement. The implications for organisations hosting and managing this data in the US could be costly as they seek to prevent the flow of European data to US based facilities.
This ruling doesn’t only impact businesses in the US, as UK and European businesses that utilise US data centre and processing facilities will also be affected.
Organisations are seeking clarification of the immediate implications of this ruling, and any changes to the agreement, since the ability to transfer data between the US and Europe is critical to so many business, industries and services.
In response to yesterday’s ruling, the European Court of Justice has today announced that it will provide clear guidance on workarounds to the now invalid agreement, and work to renegotiate the agreement to ensure it is fit for purpose.
The Court has highlighted that alternative mechanisms exist to ensure the protection and security of European Citizens’ data, including the use of contractual agreements for the protection of data that align to EU requirements, or where there is demonstrable evidence that the transfer of data is in the personal or public interest, or where consent has been provided.
Our team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including Data Protection, PCI DSS and ISO27001. We can provide consulting support to help you understand your Data Protection responsibilities.
We can also help you in designing, implementing and documenting appropriate security controls, procedures and policies to meet your obligations, all within a holistic cybersecurity framework that takes into account all other applicable standards or regulations that are appropriate for your business. For further information email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here