The recent European Court of Justice’s ruling that the US-EU safe harbor agreement is invalid poses an interesting question that many organisations will now have to ask themselves in terms of the data that they hold on behalf of their customers and employees alike.
The principles of the agreement were fairly straight forwards, however like any framework agreement across jurisdictive boundaries it is easy to write down on pieces of paper but much harder in reality to enforce and control.
The principles were:
- Notice – Individuals must be informed that their data is being collected and about how it will be used.
- Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
- Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules.
Ultimately these rules were put in place to try and build a level of cooperation between the US and EU, who fundamentally have very different ideological views on the protection of personal data.
The EU view being fair more conservative and protective of data and the US much more laissez faire about how businesses treat personal data. Oddly this is somewhat of a juxtaposition in terms of surveillance of said data for the purposes of “national security”.
So what does all this mean for the average UK business?
The major impact of this will be when the EU (finally) gets round to putting into law the EU Data Privacy Act due supposedly at the end of this year. This will replace the current data privacy directive and supersede individual member states legislation, although those bodies such as the Information Commissioner’s Office in the UK will still exist to enforce this.
The data privacy act is very clear on where the responsibility lies for any EU based business (or businesses based outsides of the EU that stores data in the EU about EU citizens) in terms of protecting the personal data of any EU citizen.
For large corporations and multinational companies that have at their disposal teams of very clever and highly paid lawyers this is just another set of compliance that they will need to address (or dare I say circumnavigate).
However as far as SMEs are concerned this is a more complicated and less familiar bunch of legalese to traverse. According to the European Commissioner’s Office, small and medium-sized enterprises (SMEs) are the backbone of Europe’s economy. They represent 99% of all businesses in the EU. In the past five years, they have created around 85% of new jobs and provided two-thirds of the total private sector employment in the EU.
Many of these will undoubtedly be unaware of or unsure of how to deal with this latest revelation, and the combination of the safe harbor ruling with upcoming EU data privacy legislation muddies the already murky waters even further.
The simple answer for many organisations may be to adopt a strategy to “keep it local”. Rather than risk data that you hold having any chance of navigating international digital borders. To simply opt for providers that can 100% guarantee the sovereignty of the data that they store on your behalf.
There is still a long way to run on this and many twists and turns along the way no doubt. Businesses are facing a complicated minefield of rules that no longer apply and imminent legislation pending. So for now all we can do is make sure we keep abreast of developments and inform our businesses of the shifting sands of data privacy.