A rather old framework of regulations, the Safe Harbor provisions were established in 2000 as a bridge for US and EU firms to share personal data. This was prompted by the EU’s move in 1998 to solidify and unify member state’s personal data regulations; and for many years -15 to be exact – this worked fairly well! As long as both sides of the Atlantic had proper and audited controls in place, personal data moved rather freely.
2015 however saw challenges to the framework emerge in the EU courts that resulted in the Safe Harbor provisions being nullified and in turn forcing many companies to evaluate their data controls and geographical location of that data. So…what does this mean? Lots, unfortunately. If your business has been operating in a multinational fashion, shifting data might have been very trite in the past – it is no longer so.
It is imperative that you begin reviewing your privacy policies and statements as well as Human Resource activities and determine whether you should have EU and US versions. Additionally, data collection requirements are now vastly different; EU regulations require an informed opt-in whereas in the US the process usually works with an informed opt-out. This is a significant change for many companies that sell, market and do business internationally and can be onerous and time consuming for companies not used to operating in that fashion. If you are working from the EU side, this is high time to start looking at local cloud service provider options since US datacenters may be violating EU laws and regulations (I happen to know a great company!).
Does all of this mean the end of transfers of personal data? No, business still needs to be done! Methods and options are available – Model Contract Clauses as well as Binding Corporate Rules can be used to make a transition. However, there can be a substantial overhead cost to mid-sized and smaller organizations. Additionally, both the US and EU governments are working to address the issues with the Safe Harbor framework but legislation takes time.
In the end, this is a disruptor but not a destroyer for business. A final note; as with all international laws and frameworks it is highly suggested that you engage a subject matter expert for more detailed options and plans – or your cloud provider’s Compliance and IT Security teams.