THE SAFE HARBOR SINKER
It started with Edward Snowden's NSA revelations. But Bot brought down the hammer, dismanteling the EU-U.S. Safe Harbor agreement. The move translates into serious changes for TMCs and any company that houses European client data in the United States.
In October, the European Court of Justice, acting on the recommendation of its advocate general, Yves Bot, ruled that the Safe Harbor policy agreement between the European Union and the United States is invalid. The decision potentially harms any business that stores personal data of EU citizens inside the United States. Unless the United States and EU can reach a new agreement, U.S. tech companies may have to spend time and money building European data storage infrastructure or risk losing customers.
The EU has more exacting data-protection standards than does the United States, and Safe Harbor was the mechanism by which U.S. companies pledged to bridge the gap, though it did not involve any external oversight. It was doomed in 2013, however, as soon as former National Security Agency contractor Edward Snowden revealed the extent to which the U.S. government extracts data from the country’s tech companies. The ECJ ruling is “potentially a major blow to U.S. tech companies,” according to a data science consultant quoted on IT industry website The Register. The consultant continued,“[They] will need to significantly restructure how they manage and use data. The cost implications could be huge, with many having to extensively expand their data centre capacity throughout Europe.”
Another potential remedy would be for U.S. companies to negotiate data protection with each European client, agreeing via contractual clause to provide an EU-compliant level of protection. However, opinion is split whether such undertaking are sustainable, given the ECJ’s opinion that U.S. government agencies can access personal data transferred to the United States.
Can the can of worms Bot opened be resealed? More should become clear by Jan. 31, when European Union member states’ various data-protection authorities are expected to rule whether, following Bot’s opinion, they still consider to be valid the standard contractual clauses that have existed for years between EU and non-EU service providers. That is also the date the United States and EU have targeted to agree on the so-called Safe Harbor 2.0, with tighter assurances.