Safe Harbor Declared "Invalid"

There will be some significant changes on the horizon regarding how private information is transferred between European Union nations and the United States.  Modifying the flow of data across these international borders may have a negative impact on commerce and has the potential to affect all European technology users. On October 6, 2015, the European Court of Justice found invalid “Safe Harbor,” the framework for how United States companies transfer personal data of European Economic Area citizens.


Back to the Beginning:  The Data Protection Directive

Part of the European Union privacy and human rights law, the Data Protection Directive was adopted by the EU Parliament and Counsel in 1998.  It applies to all nations in the European Economic Area:  the European Union as well as Iceland, Liechtenstein and Norway. Its goal is to regulate how personal data is transferred between these countries and the outside world. Transfers are not permitted between EEA and non-EEA nations that do not meet certain criteria for privacy protection.   The directive is based on seven principles:

  • Notice: subjects whose data is being collected should be given notice of such collection.
  • Purpose: data collected should be used only for stated purpose(s) and for no other purposes.
  • Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).
  • Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
  • Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
  • Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.
  • Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.


Safe Harbor Agreement:  Rough Waters

Negotiations between the United States and the EU lasted two years before the Safe Harbor Agreement was signed in 2000.  This agreement set the framework for how the US companies align their practices to work within the Data Protection Directive restrictions, specifically how American enterprises handle personal data of EU citizens.  If enterprises’ business involves transferring data to and from EEA nations, the US companies have to self-certify that they comply with the privacy principals and would be held accountable with the enforcement procedure.

Soon after US/EEA data transfers began under Safe Harbor, the EU began criticizing some companies’ privacy policies as not being transparent enough and maintained that actual compliance and enforcement were not happening. Meanwhile, the US Department of Commerce denied these concerns and reported greater data protection awareness as a result of Safe Harbor. Furthermore, the US defended its businesses saying that a significant capital expense is made to comply with Safe Harbor.  It argued that compliance is in a company’s best financial interest. However, after Edward Snowden exposed the National Security Association’s PRISIM surveillance program in 2013, the Commission was directed to conduct a full review of the validity of Safe Harbor. Keep in mind that the UK, Germany, the Netherlands, France, and Sweden also conduct mass surveillance programs.

The Cloud Security Alliance developed a self-regulating framework for cloud service providers in 2013, and updated it to Privacy Level Agreement 2.0 in June 2015.  It offers guidance to CSPs in how to align with European privacy standards.


Making it Facebook Official

In January of this year, the European Commission unveiled plans for a reboot:  the European Data Protection Regulation. It would replace the nearly 20-year-old Data Protection Directive, and as a “regulation” would instead only need the commission’s approval and not legislative involvement.   Just two weeks ago, the commission was told that EU Facebook users could not be guaranteed privacy protection on US servers due to government surveillance practices. Tech giants IBM, Cisco, Amazon, and SAP have lobbied against these regulations saying they would choke out Europe’s cloud computing industry as a result. The new regulations would allow users to sue companies processing data. Amazon, Google, and Facebook all have large operations centers in European nations, and lobbyists warn that leaving for regions easier to work with would be devastating to the EU economy.

The Data Protection Regulation is expected to be hammered out in the next three months, but won’t be adopted until 2017.  It is sure to have more teeth than its predecessor.  The case against Safe Harbor now moves to the Irish High Court where it will be followed closely on both sides of the Atlantic.


The European Union is changing the way United States enterprises have access to and use of EU citizens’ personal data.  Negotiations on working out the new Data Protection Regulation continue until the end of this year.  It will replace the current Data Protection Directive, which includes Safe Harbor – the agreement between European Economic Area nations and the United States.  The European Court of Justice found Safe Harbor “invalid” on October 6, 2015.  The Irish High Court will now hear the case.  The outcome could have a significant economic impact in the EU as well as the way companies like Facebook, Google and Amazon do business in European nations.

CIPP Exam Preparation:

In preparation for the Certified Information Privacy Professional/Europe (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

European Regulatory Institutions (I.A.B.)

The EU Data Protection Directive (95/46/EC) (I.C.B)

European Data Protection Law and Regulation (II.A.B.)

Compliance with European Data Protection Law and Regulation (III.E.)


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>