CJEU Rejects Safe Harbor Rules for User Data Transfer
If you’ve been listening, the CJEU has just rejected the safe harbor rules put into place 15 years ago. The implications of this ruling could render many global companies in a tough spot, specifically companies that rely on the free transfer of data between the EU and US. Companies likely to be affected not only include US social media sites, but US cloud file share sites like Dropbox (and their customers who use their services to store EU citizens’ personal data), global retailers with buyers in the EU, and any US business that manage personal data of EU citizens.
User Privacy Impacts ‘Business As Usual’
Although the changes are not immediately in effect, the demands of user privacy will likely impact ‘business as usual’. It is an obvious backlash to NSA surveillance of citizens online activities without their knowledge or consent. But the cost to global businesses is that it’s going to be harder to provide services and data between the US and Europe.
“If the Safe Harbor rules in place since 2000 are done away with, each country in the European Union could potentially set is own privacy rules and regulations, creating enormous barriers to U.S. firms doing business there.” – USA Today, Europe’s top court rejects ‘Safe Harbor’ ruling
Now the scramble for CISOs in global companies is to find ways to comply with the new ruling. It goes without saying that user privacy is extremely important and should be a fundamental right, but this ruling affects more than Facebook and Google, who may have anticipated and already addressed this issue within their organizations. It most likely will change how companies need to handle data flows between the two continents. About half the world’s data is exchanged between Europe and the US, and rejecting safe harbor means drastic changes for small and medium business alike.
In talking to my colleague, Alessandro Porro, in London this morning about this news, he had the following to say:
“The strike down of the Safe Harbor agreement by the Court of Justice of the European Union (CJEU) adds a large amount of uncertainty and risk to any enterprise whose business involves data movement between the EU and US. Safe Harbor was found to not meet the requirements of the Data Protection Directive.Whilst the EU’s general approach to data protection has been agreed, the actual regulation is still in consultation and so there could be the flexibility to include clear guidance to these firms. However, it would be fair to assume that this could impact that target adoption date which is currently the end of the year. Businesses should to start working immediately to audit their data sharing practices, including use of US cloud sharing services like Dropbox, so that they understand exactly where they stand and are ready to act when further guidance is issued. “
Tough for Tech But Win for User Rights
On the other side of this, advocates of user privacy as a fundamental right are cheering a huge win. Edward Snowden was quick to tweet out form his new Twitter handle about the ruling.
Bottom line: the #SafeHarbor ruling indicates the indiscriminate interception of communications is a violation of rights. Search OR seizure.
— Edward Snowden (@Snowden) October 6, 2015
In either case, it will be interesting to see how the tech industry reacts to this. Companies will need to start getting a little more creative about how they share data between the US and EU.
What is your company doing to adjust to the new rules?
>> Engage with us next month during the Ipswitch Innovate 2015 User Summit, a two-day (October 21-22) online event for IT pros to learn from each other and our product experts.