From Dale Penn, Advent IM Security Consultant
Safe Harbour was a process by which US companies could comply with the EU Directive 95/46/EC on the protection of personal data when transferring data “across the pond”
Intended for organizations within the European Union or United States which store customer data, the Safe Harbour Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program, as long as they adhere to seven principles and 15 frequently asked questions and answers (FAQs) outlined in the Directive.
These principles must provide:
Notice – Individuals must be informed that their data is being collected and about how it will be used.
Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
Security – Reasonable efforts must be made to prevent loss of collected information.
Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Enforcement – There must be effective means of enforcing these rules.
Businesses have been using Safe Harbour for the past 15 years to help them get around the cumbersome checks to transfer data between offices on either side of the Atlantic.
However earlier this month the Court of Justice of the European Union (CJEU) stuck down Safe Harbour largely due to the ability of US intelligence service to gain access to transferred personal data. It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.
Do not despair! On the 29th October 2015 Reuters reported the following comments from the U.S. Secretary of Commerce, Penny Pritzker:
“The so-called “Safe Harbour 2.0” agreement currently being negotiated will meet European concerns about the transfer of data to the United States, a solution is within hand”
“We had an agreement prior to the court case. I think with modest refinements that are being negotiated we could have an agreement shortly”.
So there you have it Safe harbour will be modified and reborn as Safe Harbour 2.0. And as the CJEU have imposed a 3 month deadline to find an appropriate solution, it should be here by early next year.