On Tuesday, October 6th, the European Court of Justice (ECJ) invalidated the Safe Harbor, an agreement between the European Union and the United States Department of Commerce that allowed companies to transfer Europeans’ personal information to over 4,000 companies in the United States. The ruling leaves U.S. and EU companies and consumers facing uncertainty and searching for alternative ways of doing business while maintaining compliance with EU data protection laws.
What Is Safe Harbor
The “Safe Harbor” is the name of an agreement that had been in place since the year 2000 between the United States Department of Commerce and the European Union in response to a 1995 EU Privacy Directive that banned transfers of personal information to countries that the EU deemed to have insufficient privacy controls. The U.S. was not on the list of countries found to have sufficient privacy controls. The Safe Harbor was a compromise agreement that allowed transfer of personal data of EU residents to, and processing and storage of such personal data by, companies in the U.S. that certified under the Safe Harbor and agreed to abide by EU privacy principles.
Why The New Ruling
The European Court ruled that because the United States government authorities can gain access to this information — and did, as revealed by documents leaked by Edward Snowden — the agreement violated European privacy rules.
The ruling itself does not immediately require companies to stop transferring data to the U.S., but allows all 28 individual national governments of the EU to investigate and suspend any data transfers that they find to violate privacy rights. With European states’ varying views on privacy, this could lead to a situation where U.S.companies will have to navigate a minefield of inconsistent requirements.
Who and What Does This Impact
The ruling impacts companies worldwide who engage in transatlantic business involving the transfer of data of any EU resident to the United States. EU-based businesses will be most significantly impacted in the short-term as they work to understand the implications and find solutions to continuing to do business with companies in the United States. The ruling will also be disruptive to large, U.S.-based companies that rely on large-scale data transfers to support services such as online advertising, but possibly more so to small and medium-sized organizations, which may not have the resources to find other data transfer methods, establish operations within Europe, or defend against privacy complaints.
It is important to prepare and take steps but not to panic. As we speak, the European Commission and the U.S. Department of Commerce are still working collaboratively on a new Safe Harbor agreement, and many watching this matter closely are confident that an agreement will be reached. In addition, a working group made up of representatives from the data protection authorities (DPAs) of each EU member state (called the Article 29 Working Party) is set to meet on October 8th and is expected to provide some imminent guidance. In the interim, viable alternatives for EU and US businesses exist, such as the use of model contractual clauses approved by the European Commission and the use of so called binding corporate rules (BCRs) for transatlantic intra-company (group) transfers.
What You Need To Do
Organizations impacted by this ruling on both sides of the Atlantic should be engaged in examination and planning. We recommend the following:
- Assess and document how and where you transfer, use, store, process and protect personal data of EU citizens
- Perform an assessment of your cloud services that EU residents could have access to and identify personal information that you are unexpectedly storing
- Identify the apps that are connected to your cloud services that store data on EU residents. In many cases, these connected apps require significant access to your cloud services and could violate the security and privacy protection your organization is obligated to provide
- Implement controls in the apps you buy, build, and sell to ensure that data that needs to be kept private is protected from sharing and configuration errors
CloudLock Can Help
CloudLock provides the tools you need to understand and protect the data you have in your cloud environments — including personally-identifiable information (PII) — for applications you buy, build and sell. Evaluate CloudLock today to gain visibility and control over the data you are storing across multiple cloud platforms, from Salesforce and Google Apps to anything built on top of Amazon Web Services (AWS) and Force.com.
Don’t Take Our Word For It
Experience the CloudLock Security Fabric first-hand in a demo and take the first step to securing your cloud ecosystem, including SaaS, PaaS, IaaS, and IDaaS environments to solve five primary needs: Threat Protection, Cloud DLP, App Discovery and Control, Risk and Compliance Management, and Auditing and Forensics.