Yes, the Safe Harbor Framework (the self-certification that allows data transfer between EU and US) has been repealed. No, there’s no need to worry. Here’s why.
Safe Harbour was created as another option within the European Union’s Data Protection Directive. Now that it is gone, there are three alternative options US businesses can consider.
How Safe Harbor fit within EU data protection policy
EU is well-known for having stricter regulations on everything from medications to make-up, and its citizen’s data is just as heavily guarded when it must leave EU borders. Within the EU, data transfer is fairly unrestricted. When it comes to transferring data to a third country such as the United States, however, data no longer has to adhere to EU laws. As a result it may be exposed to more risk, which is exactly what European authorities want to prevent. So, they enforce strict data usage rules that corporate entities must abide by if they want to export EU data abroad (even if it’s just being stored outside of the EU). To combat the difference in global security standards, the EU developed the Data Protection Directive. The Directive aims to provide legal assurance that companies that have access to EU user data agree to abide by EU’s rules and regulations and ensure protection of users’ private data.
Safe Harbor was only one option of certifying proper handling of data from EU citizens, and also the newest option.
The four three ways to legally transfer data under the EU Data Protection Directive
Before October 2015, there were four ways to ensure legal EU-US data transfer. After Safe Harbor’s repeal, businesses are left with the existing 3 ways that EU data can be legally transferred.
- User Permission
The first way is if the persons themselves agree that their data may be transferred abroad. This is the case for majority of online and retail companies, who usually put such claims in their Terms & Conditions signed and agreed upon by each individual user. (And by the way, permission has to be given only once to be considered legal.) - Binding Corporate Rules
The BCRs were developed by the EU to allow intra-organizational data transfers. These rules need to be specially approved by each EU member state, and will form a stringent intra-corporate global privacy policies. Needless to say this is a more expensive and long-term option, but may be best depending on the nature of the business. - Model contract clauses
The third way is by a formal agreement between two businesses. This is most commonly done when a contract is signed with another business, and a model contract clause is inserted, binding both parties to responsible use and handling of user data as per EU laws. Safe Harbor Framework(repealed)
Until October 2015, Safe Harbor Certification was a fourth option, where US companies could annually self-certify their own data usage policies and avoid having to add additional clauses to their contracts. Its sole purpose was to make business transactions between EU and US more efficient, but still safe. For example Intetics acquired its certification in 2012 to show adherence to the EU privacy protection standards. However on October 6th 2015, the European Court ruled that Safe Harbor is invalid in that it does not provide sufficient protection to EU citizen data. Because of the ease of this process, many companies opted for this option as part of their data protection process. After the repeal, many have to readjust their data policies, relying on the 3 remaining options.
What to do after Safe Harbor?
The Safe Harbor framework was a fairly new process. Its main purpose was to eliminate the need for data protection clauses in contracts and agreements between EU and US companies, making business a bit more efficient.
Since Intetics has operations within and outside of EU, some Intetics clients fall into the category of only being able to work with providers that were either Safe Harbor certified, or otherwise legally adhered to the EU data protection policies.
After Safe Harbor repeal, to resolve the problem of data transfer, Intetics opted to add model contract clauses to its contracts with affected clients (the third option described above). Upon legal examination, this solution sufficiently demonstrates adherence to EU data privacy protection laws.
While perhaps somewhat confusing, the Safe Harbor Framework repeal is not the end of the world, and definitely not end of business relationships between EU and US corporations. The three existing provisions under the EU Data Protection Directive are sufficient, and can be successfully used in varying ways to ensure virtually any business proposition is compliant with EU’s data protection policy.
Photo via Flickr