The legal agreement that enabled the exchange of European citizens’ personal data between European and U.S. firms is no more. In an October 6 ruling, the European Court of Justice declared the Safe Harbor agreement invalid, charging that data protection processes in place at companies like Facebook is insufficient and fails to meet the standards necessary to avoid misuse.
Safe Harbor, which was instituted in 2000, was supposed to allow for the transfer of personal data in a manner consistent with privacy standards in the European Union. However, in the wake of revelations of mass surveillance on the part of the U.S. government, the ECJ ruled that Safe Harbor does not properly protect individuals from having their personal information shared by U.S. businesses with U.S. government agencies involved in the country’s espionage programs.
The potential impact to small businesses
The reaction from many larger corporations, including Facebook, Google, Microsoft and others, has been muted, with representatives of those companies responding that they have safeguards in place that are fully compliant with E.U. privacy laws independent of the Safe Harbor agreement. Smaller companies, however, may face a greater challenge when it comes to transferring customer data going forward.
Safe Harbor was a nonbinding agreement, which meant companies were essentially responsible for self-certifying that they were in compliance. This approach made it easier for smaller companies to share data, because it didn’t require that they spend time or money for the ability to do so. With Safe Harbor’s demise, such firms may now have to rely on binding corporate rules and model contract clauses, which require going through different channels for approval before transferring data will be permitted. Companies with the resources to use these methods have, in many cases, already put them in place, but the process could strain the resources of smaller firms.
The end of Safe Harbor, at least in its existing form, has been a concern for the U.S. and the E.U. for some time, particularly as concerns about the misuse of data by U.S. companies and government agencies has increased. Authorities have long been attempting to arrive at a new agreement that balances national security concerns in the U.S. with personal privacy concerns in the E.U., and it’s unclear how the recent ECJ ruling may impact those negotiations.
The European elimination of Safe Harbor data sharing could have serious consequences for the many financial institutions, Internet companies and e-commerce businesses in the U.S. Virgin Islands that do business with European firms. If you believe your company may be impacted by the elimination of Safe Harbor data sharing in Europe, it’s important to seek the counsel of an experienced and knowledgeable business attorney.
BoltNagi is a widely respected and well-established business law firm serving corporations and partnerships throughout the U.S. Virgin Islands.