Safe harbor's demise means data laws are all at sea Posted by Mike on 20 October 2015

Note: The below article, written by Mike Morrissey of Sytorus and PrivacyEngine.io, was published by the Irish Independent on 20th October 2015

We are all very familiar with Edward Snowden and the activities of the NSA and GCHQ, which his whistleblowing revealed to a shocked world in 2013. The reaction, subsequently has been mixed, from abhorrence to lack of interest, with most of us in-between, ultimately uncomfortable but not overly concerned.

One of the victims of the fallout was an agreement between the E.U and the U.S, called Safe Harbor, effectively a self-registering method to allow U.S. firms declare that they would process the personal data of European citizens in line with European Data Protection legislation.

The European perspective has always held that the U.S does not provide ,in its privacy laws, an adequate level of protection for the rights of European citizens when their personal data is being processed in that jurisdiction. The revelations of Edward Snowden did nothing to dismiss that opinion.

Therefore Safe Harbor played an important role in attempting to shore that gap.

With Safe Harbour torpedoed, no U.S. firm registered under that agreement is currently legally entitled to use the personal data of European citizens. For any organisation, in that situation, concern about litigation et al must be a real possibility.

But what about the rest of us, who may have no idea who or what companies possess our personal data? Is this something we should be concerned about?

The answer is, flatly, yes. The amount of personal data available about each one of us is staggering. Your information resides across, on average, thousands of databases, all over the world, most of which you have no idea about.

The public, in general, is becoming more aware about their rights enshrined within Data Protection law, and are beginning to question how companies use their information, all of which determines which brands they are prepared to give their loyalty to.

Indeed brand loyalty is a key factor now in how corporate businesses strategise for growth and profitability. Simply ask Apple! Consumers are more prepared to part with their personal data with businesses whom they trust.

Therefore this social awareness of Data Protection is becoming more pronounced, and businesses the length and breadth of the European Union, and further afield, are waking up to the reality that this is an area which needs to be dealt with seriously.

So, for the general public, the death of Safe Harbor should be a concern. Effectively no American company can guarantee protections for European citizens, unless they take action now and put in place other controls to ensure that the same level of protection is in place, as enforced with their European counterparts.

Most companies will attempt to do this using ‘Model Contracts’, effectively a template contract, created by the E.U. Commission which is very heavy on terms referring to the rights of the individual person. But these contracts have little, if anything, to say about the specifics of the processing itself.

Here is the rub, and likely where the warts and all come out in the post-Safe Harbor world. The key point behind Data Protection, which many organisations do not practice in reality, is that companies are expected to maintain absolute and verifiable control of the processing of personal data, whether through themselves or by third parties under their instruction. Most of those who signed up to Safe Harbour, and believe you me, there are many in the U.S. who never have, are unlikely to ever have put together, in partnership with their European partners, an actual Data Protection contract/agreement that specifies precisely what data is being processed, and importantly, how.

Fundamentally, this is where the difficulties will arise. U.S. firms will now need to account for the detail of the actual processing, to ensure it is not excessive. Also they will now have to comply individually with the unique take on Data Protection law exercised within each country of the E.U. There is just enough variation in each to provide a serious headache for any organisation operating in each EU country.

Large US firms may open themselves up to further legal challenge and may in turn opt to restrict the services they provide in Europe, until such time as an alternative to Safe Harbor is found. This could mean that European citizens may lose out on commercial benefits and services from U.S. brands for a period of time, unfortunately.

Ultimately, Data Protection law is designed to protect your rights. The death of Safe Harbor may end up accelerating companies into taking their obligations to uphold your rights more seriously, and begin real change in implementing the necessary steps to demonstrate they can really be trusted with your data.