If you weren’t aware of the ongoing debate around data protection as an EU business storing data in the US, you should be. The Safe Harbour agreement has been back on the radar since 2013, when Edward Snowden accused Facebook of providing US spy agency, NSA, access to the personal information of more than just US citizens. The accusation, although dismissed at first investigation, has initiated a much wider cause for upset. It uncovered the clear mis-match between US and EU views on data subject’s privacy. The US laws understand cases of national security to override privacy laws, and so were well within their rights to allow such actions to take place. Any data stored in the US, even by an EU-based company, is under their jurisdiction, after all.
For many of us this was news to our ears, and all of a sudden, the Safe Harbour agreement, whereby organisations were allowed to store data in the US ‘safely’; became seemingly much less safe.
GREAT FOR OUR PRIVACY, DISRUPTIVE FOR BUSINESS
As an EU citizen, protected by our authorities’ decision to respect our privacy, we breathe a sigh of relief in the knowledge that our personal information and conversations are no longer to be shared again with anyone – not least all the way across the Atlantic. As professionals, however, we’ve watched with baited breath as US and EU authorities dart back-and-forth in an effort to reach an agreement whereby our data might still be stored overseas and protected by our standards – hoping that the implications for our business won’t be too severe, or costly. After all, there is a growing trend to store data in ‘the cloud’ as it provides us with the ability to be more collaborative, flexible, and acts as back-up in case of accidental loss of data on our local systems – and having to restructure could have a huge impact on the way we do business.
The European Commission has made it clear that they will come down hard on any business that chooses to ignore the new ruling, and as a result of Safe Harbour being invalidated in October this year, organisations storing data in the US or operating in both regions and thus sharing data for business intelligence, have already been asked to take precautions to make customer and/or employee’s personal information more secure.
So what does it mean for EU business? Who does it affect? What can we do to minimise the impact the new ruling may or may not have on our business? And finally – are there any approved alternatives to Safe Harbour for data transfer?