New Pact Saves Data Storage Companies After Safe Harbor Decision
Back in October, an agreement was reached between the United States and the European Union regarding American companies handling the personal data of overseas citizens.
This agreement created a “Safe Harbor” for U.S. businesses by decreeing that an American company could simply give its word that it planned to properly protect the data of Europeans (and would need no other form of assurance).
Promises are not generally taken at face value in the world of business, especially when it comes to data protection. However, this decision was more a symptom of desperate circumstances than thoughtful negotiation.
Because the European Union has passed much stronger sanctions protecting the data of its citizens than the United States has ever bothered to create, issues began to spring up regarding American companies (functioning under more lax American law) becoming responsible for data belonging to people who expect their privacy to be better protected.
The European Court of Justice believed that the Safe Harbor Agreement was a band-aid solution to a deeper problem regarding world tensions around surveillance, terrorism, and privacy. In light of Edward Snowden’s outing of the United States government’s collection of massive, indiscriminate amounts of personal data via snooping on cloud service providers, the European court ruled that the Safe Harbor protections were not acceptable.
The court believed that there was a real threat that the United States government would ignore the Safe Harbor sanctions meant to protect the data of European citizens. The court also cited the fact that neither European individuals nor European privacy authorities had any real way to punish U.S. government agencies for snooping if they were caught in the act.
Accordingly, the ECJ declared the agreement invalid.
This came as a shock for many European and American tech companies. The agreement was invalidated without the implication of any grace period, so a lot of company leaders are being forced to choose between shutting down their companies or risking potential liability.
HyTrust Senior Vice President Fred Kost was skeptical about the decision:
“If companies want to completely comply, it likely means that they must examine what data they have from nations in the EU and begin moving the data to infrastructure housed in those nations or demonstrate that it is inaccessible if stored on infrastructure outside those nations via encryption or access controls,” Kost claimed. “The risk to companies lies in how quickly enforcement or legal action is taken.”
Accordingly, just yesterday the United States and the European Union made official a pact known as the EU-U.S. Privacy Shield, which asserts that:
- “Strong obligations on how Europeans’ personal data is handled and individual rights are guaranteed. The U.S. Commerce Department will monitor compliance with the obligations, and the Federal Trade Commission provide enforcement.
- “A promise that access by U.S. law enforcement and national security agencies to Europeans’ personal data will be subject to clear limitations, safeguard and oversight mechanisms.
- “Establishment of several forms of redress for Europeans who believe their data has been misused.”
The glaring issue is, of course, that American government agencies will monitor their own country’s compliance with the obligations.