Since 2000, the US-EU Safe Harbor Framework has allowed US companies to transfer personal data from the European Union without breaching the EU’s data protection laws. Safe Harbor companies self-certify to the Department of Commerce that they comply with the EU standard, and the FTC enforces that promise. More than 4000 European and American companies are Safe Harbor-certified.
But on October 6, 2015, the European Court of Justice upended the framework. It ruled that sending personal data to the US violates a person’s right to privacy . Bruce Schneier provides links to the judgment, press release and summary of the decision.
Extent of Change Unclear
The New York Times coverage points out uncertainties about the scope of the ruling.
- "The data transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.”
- "The ruling is so sweepingly broad that any mechanism used to transfer data from and Europe could be under threat”, according to Brian Hengesbaugh of Baker & McKenzie, as quoted in the article.
In his Gartner blog, Earl Perkins focuses on the legal ramifications. Neither Summa nor Gartner provides legal counsel, and this is a legal question.
- First, consult with your legal counsel on the impact to your business
- Replace Safe Harbor with new legal contracts, structures and safety mechanisms that meet the EU’s rules for protection of personal data
- If your company is not Safe Harbor-certified, you’re not off the hook. This ruling should encourage other data protection authorities (DPAs) to evaluate model contracts and transfers. DPA’s in Germany, France, Spain, Italy and Poland are especially likely to want a greater say in international transfers
You need to know what’s at stake. How great is your exposure, and how will your data storage and processing systems be affected?
- Identify high risk items and actions that can mitigate problems in the short term
- Determine if your current ‘in flight’ projects need architectural adjustments to meet EU privacy rules
- If you rely on vendors’ Safe Harbor agreements, find out what steps they are taking
Below is a short list of Summa vendors that have updated their guidance on Security and Compliance in light of these changes.
