Safe Harbour's demise leaves data laws all at sea
Published 20/10/2015 | 02:30
The European Court of Justice has determined the Safe Harbour agreement between the EU and the US to be invalid. But what is Safe Harbour, and why should you care?
We are all very familiar with Edward Snowden and the activities of the NSA and GCHQ, which his whistleblowing revealed to a shocked world in 2013. The reaction to that has been mixed, from abhorrence to lack of interest, with most of us in between - ultimately uncomfortable, but not overly concerned.
One of the victims of the fallout was an agreement between the EU and the US, called Safe Harbour, effectively a self-registering method to allow US firms declare that they would process the personal data of European citizens in line with European data protection legislation.
The European perspective has always held that the US does not provide in its privacy laws an adequate level of protection for the rights of European citizens when their personal data is being processed in that jurisdiction. The revelations of Edward Snowden did nothing to dismiss that opinion.
Safe Harbour, therefore, played an important role in attempting to shore that gap.
With Safe Harbour torpedoed, no US firm registered under that agreement is currently legally entitled to use the personal data of European citizens. For any organisation in that situation, litigation must be a real concern.
However, what about the rest of us, who may have no idea who or what companies possess our personal data? Is this something we should be concerned about?
The answer is, flatly, yes. The amount of personal data available about each one of us is staggering. Your information resides across, on average, thousands of databases, all over the world, most of which you have no idea about.
The public, in general, is becoming more aware about their rights enshrined within data protection law, and are beginning to question how companies use their information, all of which determines which brands they are prepared to give their loyalty to.
Indeed, brand loyalty is a key factor now in how corporate businesses strategise for growth and profitability. Simply ask Apple! Consumers are more prepared to part with their personal data with businesses whom they trust.
Therefore this social awareness of data protection is becoming more pronounced, and businesses the length and breadth of the European Union, and further afield, are waking up to the reality that this is an area which needs to be dealt with seriously.
So, for the general public, the death of Safe Harbour should be a concern.
Effectively, no American company can guarantee protections for European citizens, unless they take action now and put in place other controls to ensure that the same level of protection is in place, as is enforced with their European counterparts. Most companies will attempt to do this using 'model contracts', effectively a template contract created by the EU Commission which is very heavy on terms referring to the rights of the individual person.
However, these contracts have little, if anything, to say about the specifics of the processing itself.
Here is the rub, and likely where the warts and all come out in the post-Safe Harbour world. The key point behind data protection, which many organisations do not practise in reality, is that companies are expected to maintain absolute and verifiable control of the processing of personal data, whether through themselves or by third parties under their instruction.
Most of those who signed up to Safe Harbour - and believe you me, there are many in the US who never did - are unlikely to ever have put together, in partnership with their European partners, an actual data protection contract/agreement that specifies precisely what data is being processed, and how it is being processed.
Fundamentally, this is where the difficulties will arise.
US firms will now need to account for the detail of the actual processing to ensure it is not excessive.
They will now also have to comply individually with the unique take on data protection law exercised within each country of the EU. There is just enough variation in each to provide a serious headache for any organisation operating in EU countries.
Large US firms may open themselves up to further legal challenge and may in turn opt to restrict the services they provide in Europe, until such time as an alternative to Safe Harbour is found.
Unfortunately, this could mean that European citizens may lose out on commercial benefits and services from US brands for a period of time.
Ultimately, data protection law is designed to protect your rights.
The death of Safe Harbour may end up accelerating companies into taking their obligations to uphold your rights more seriously, and begin real change in implementing the necessary steps to demonstrate they can really be trusted with your data.
Mike Morrissey is an IT professional with Dublin data protection specialist firm Sytorus