The European Court of Justice has today declared the Safe Harbour Agreement invalid, with many branding the ruling seismic in its business implications.

The ECJ ruled that the agreement compromised the privacy of EU citizens, in addition to preventing the intervention of EU data protection watchdogs on the behalf of EU citizens who complain that their privacy has been infringed.

Seeing as the Safe Harbour agreement, which allowed the transfer of EU citizen personal data to the US, is relied on by many businesses, the implications for businesses big and small are far reaching.

CBR called upon the experts to detail how the ruling could impact business, as well as the implications for data-sharing in the long-run.

 

1. The root of the problem

Sheila FitzPatrick, WW Data Governance & Chief Privacy Officer at NetApp, said:

"The root of the problem is the fundamental difference between the EU’s expectation of privacy and the US belief in growing the global marketplace, despite the potential negative effect on a citizen’s fundamental right to protect their personal data.

"This philosophical difference is not easily bridged. However, there are proven and feasible solutions for companies that work in both environments and achieve the standards required. This has now been underlined by the ECJ."

 

2. Major Implications beyond Facebook

Deema Freij, global privacy officer at Intralinks, said:

"Any company with operations in Europe and transferring data to the United States under Safe Harbour will now need to carefully evaluate how it protects personal data, and re-evaluate governance, risk and compliance processes to meet international data transfer requirements to the United States without Safe Harbour being part of the mix."

 

3. Two options remain

Mark Lomas, senior consultant within Capgemini’s cybersecurity practice, said:

"What it ultimately means is that US organisations have two options, firstly some may choose to supply services from within the European Economic Area (EEA) – as Microsoft do with Azure in the Netherlands and Amazon Web Services from Ireland.

"Secondly, those that want to continue providing services from the US to Europe would be well advised to document their security controls in a template version of the model clauses so that they are ready for contract negotiation."

4. Binding corporate rules & model clauses

Mahisha Rupan, Data Protection & Privacy Senior Associate at Kemp Little, said:

"There are alternative ways of ensuring adequate protection for personal data relating to EU citizens, such as implementing binding corporate rules or executing "model clauses" contract between the data exporter and data importer.

"However, it is worth mentioning the binding corporate rules only works for intra-group data transfers and model clauses will need to be put in place between each data exporter and each data importer which may be prove to be impractical where a US company has thousands of EU-based customers."

 

5. Ensuring Public Cloud privacy post-Safe Harbour

Andy Hardy, Managing Director EMEA at Code42, said:

"What businesses need to do now, is safeguard data. They need to find solutions that keep their, and their customer’s, data private – even when backed up into public cloud.

"The best technologies will ensure that encryption keys are kept by our customers on-premise, so only they can decrypt the data and that no-one else can access it unless with prior direct request. This is the only way to ensure privacy in the public cloud post Safe Harbour."