Author: Chris Cronin, ISO 27001 Auditor
The Court of Justice of the European Union has determined that E.U. Safe Harbor is not sufficient protection of European Union residents whose personal information is sent to the United States. This is a big deal for U.S. and E.U.-based businesses who have relied on the Safe Harbor framework as a method for cutting through regulations to conduct trans-Atlantic business.
The European Union and its member countries are stricter than the U.S. in their requirements for protecting personal information. In the E.U., privacy extends to protecting privacy of peoples’ religious affiliations, labor union membership, sexual orientation, and other information that can make people a target for human rights abuses. In the U.S., we focus more on information that can lead to fraud or health information that may prevent someone from gaining employment (keep in mind that HIPAA was originally made to provide for portable insurance coverage).
A key concept underlying E.U. data protection laws is that European companies can expect that all of their local peers protect personal information in the same way. U.S. companies, however, are not nearly as prepared to meet the E.U. standards. So the E.U. Safe Harbor framework was designed as a collaboration between the U.S. Department of Commerce and the E.U. to give E.U.-based organizations a way to declare to their government that they forwarded personal information only to safe companies, even when they are in the U.S.
E.U. Safe Harbor in a Nutshell
The E.U. Safe Harbor framework has always been a self-certifying standard, meaning that an American organization can take a look at their own security and privacy practices, determine that they match the E.U. Safe Harbor framework principles, and then declare to the U.S. Department of Commerce that they comply with the framework. Any E.U.-based company can then go to the E.U. Safe Harbor web site to see if an American business partner is listed there. If they are, then the E.U-based company has permission from their local government to send personal information to the American company.
And that’s all there is to it. There are no actual demonstrations of compliance, no independent audits, nothing of the sort. The Federal Trade Commission will check to see if you claim to be certified, but are not listed on the web site (therefore engaging in a deceptive practice). However, there are no actual audits to determine whether the seven principles of the framework are being followed.
In its recent decision, the Court of Justice stated that the E.U. Safe Harbor agreement, and it principles, are not sufficient evidence that an American company will adhere to privacy principles and reasonable security controls. The gist of their determination was that the U.S. government, from time-to-time, seizes and observes personal information from American organizations, and therefore, E.U.-based residents are no longer assured of privacy.
So American companies, and their E.U.-based business partners, are left without direction from their governments about how to continue to do business that relies on sharing personal information. While we can expect that each European country will create their own Safe Harbor framework, as Switzerland did several years ago, this may take some time.
While we wait for guidance from U.S. agencies and E.U. Counterparts it makes sense for American companies to hold steady. American companies should keep operating to the Safe Harbor principles as if they are enforceable. These are good practices that make companies good stewards of people’s information, and allow them to demonstrate appropriate care for the personal information we handle and share.
E.U.-based companies are in a quandary, however. They will need to know from their American counterparts how well they adhere to tougher local laws (The E.U. Safe Harbor principles are far easier to comply with than the more complex requirements that vary from one country to the next). American companies should get in touch with E.U.-based business partners and develop a specific plan such as determining if there is a way to do good business without sharing personal information or whether E.U.-based data can be kept in the E.U. until a new agreement is made (which could take several years, if it happens at all). American companies should not be surprised if E.U. counterparts request that they are as secure and auditable as they would need to be if they were operating in an E.U.-based country. American companies should take that recommendation seriously and investigate what the actual requirements are to determine what degree to which they can operate to those standards.
International business now relies on the sharing of personal information. The U.S. has proven for generations that we can meet market demand and the requirements placed upon us. No doubt we will rise to the occasion and get secure enough to meet the tougher European security and privacy standards coming our way. In the meantime, American companies should operate as if E.U. Safe Harbor is still in effect, but also prepare for more stringent security standards and audit requirements.