If you do a Google search on the recent decision handed down by the Grand Chamber of the European Court of Justice in Schrems v Data Protection Commissioner, et, al.holding that the U.S. Safe Harbor program invalid under the Data Directive 95/46/EC, you will get loads of stories with “stunning” in their headline or somewhere in their recounting of the court decision. If you then go look up the word “stunning,” you will find “causing, capable of causing, or liable to cause astonishment, bewilderment, or a loss of consciousness or strength.” Is that really the case here with Safe Harbor? Are we stunned that the European Union (“EU”) has finally said that U.S. Safe Harbor does not meet the EU’s requirements for adequate data protection? No, not if you look at recent history.
As long as I have been in the data protection space and attended privacy conference upon privacy conference, I have heard data commissioners from various EU member countries mock the Safe Harbor program and the American approach to privacy. Consistently, the term “Wild West” was thrown around at these conferences to describe how the U.S. and its companies allegedly handled their privacy and security obligations. Scholars have been documenting the European Union’s concerns with the “half hearted” approach of the United States to data protection since as early as 1998. As recently as February of this year, the FTC continued to try and counter this Wild West moniker.
When Edward Snowden disclosed the NSA surveillance program in 2013, those suspicious of the U.S. regime had their “smoking gun” which lead to more debates over Safe Harbor. This decision in Schrems is actually rooted in the Irish plaintiff’s concerns about NSA spying on the personal information stored on Facebook servers in the United States. Cloud technologies have only further illuminated the alleged deficiencies in U.S. Safe Harbor and blurring the borders and jurisdictions involved with data transfer. In a 2013 communication, the European Commission itself formally stated that “concerns about the level of protection of personal information of [Union] citizens transferred to the [United States] under the Safe Harbour scheme have grown.”
So, the fact that Safe Harbor has taken a potentially fatal punch in 2015 is hardly a surprise. Perhaps in acknowledging the deficiencies and concerns from nearly twenty years of complaining and an explosion of technology that makes information sharing easier than ever, the U.S. and EU have been working on Safe Harbor 2.0. I am sure this recent decision will expedite that work. So rather than getting caught up in the alleged “drama” of this occurrence, I encourage businesses to use it as a cautionary tale and reminder about some core principles of data privacy and security.
1. Transparency and trust are critical components of any privacy program. Have a good story. Be it an international compliance model, or the policy you post on your website, the level of transparency you provide to your data privacy practices is directly tied to the trust customers have in your business and regulators have in your representations. This “stunning” development is just another reminder on the importance of a business’s approach to privacy, messaging, and clearly communicating that approach to customers, law enforcement and regulators. So when (not if) you have a breach or security event, you can bet there will be a direct correlation to the success of your response and the degree to which you developed, maintained and communicated your data governance practices before such a breach or event. Forget data breaches and incidents, ANY CHANGE to your business might impact privacy and security – so better to know your story now so you can adjust quickly when that change comes.
2. Privacy is not the same around the world. As I have written about before, the U.S. views and regulates privacy differently than other countries. Doing business outside the United States requires careful consideration of many factors, starting with the question of what information you truly require to run your business and take care of your customers. The Schrems decision only impacts Safe Harbor and even then, to what degree, remains to be seen. Safe Harbor continues to remain active today and companies can still self-certify. However, businesses can still transfer the personal information of EU residents, provided the companies have the individual’s consent, do so under special contracts, and/or otherwise meet the compliance requirements for the impacted member states. This need not be complicated, but it does take special considerations and planning to navigate the frameworks involved.
3. Minimum Necessary and Limited Use. After considering whether you even need to collect personal information from outside the U.S., there remains the opportunity to reduce your exposure and compliance burdens by only collecting the minimum information necessary to complete a transaction and limiting the use to only critical transactions. Less is more when it comes to privacy compliance, not to mention lessening your security burdens; you do not have to safeguard information you do not collect, store or transfer in the first place.
4. Don’t forget employees. If you have employees living in other countries and collect, store and transfer their information to the U.S. for business purposes (i.e. payroll, benefits administration, etc.) you may have to comply with data privacy requirements in those countries. Personal information is not limited to customers. This is a good reminder for any company anywhere.
In closing, data governance will only continue to evolve with society’s norms, the technology available, and increasing laws and regulations. Old solutions will be replaced by better ones, and new approaches will always be needed. Take this opportunity and the discussion over this court case as a chance to evaluate your business’s footprint for privacy and security — inside the U.S. and beyond. Determine what information you need, where you need to keep it, and develop a governance program around that information, to include accounting for laws of other countries. It may not be as complicated as you think – but first, you have to think about it.