Safe Harbor, the 15-year-old data transfer pact between the US and the EU allowing the personal information of EU citizens to be transferred to the US without abiding by the strictures of European data protection legislation, was declared invalid by the European Court of Justice in a landmark ruling this week.
The court’s decision was the result of a legal challenge brought against Facebook by Max Schrems, an Austrian privacy campaigner who, in the wake of the Snowden disclosures, was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA.
Schrems said: “This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights.”
Processing of Europeans’ data in the US contravenes EU laws
Under the EU Data Protection Directive (95/46/EC), EU Member States may only transfer personal data to a third country for processing if that country “ensures an adequate level of protection”. The ruling finds that Safe Harbor does not ensure such a level of protection. As the US has no national data protection law, the processing of Europeans’ data in the US now automatically contravenes the Data Protection Directive.
Wider implications for business
Some 5,000 US businesses – including Cloud storage companies – rely on Safe Harbor to transfer EU data to the US, effectively self-certifying that they apply appropriate data protection measures. Now, they are potentially liable to prosecution.
Frans Timmermans, the vice president of the European Commission, said the Commission would soon “come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the United States in the light of the ruling. Our citizens need robust safeguards and businesses need legal certainty. The guidance should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike.”
Until that guidance is issued, US businesses would do well to look to international information security best practice, as set out in the ISO 27001:2013 standard.
Registration to ISO 27001 provides internationally recognized confirmation that security best practice is being followed and that organizations have taken appropriate steps to secure personal information in line with the requirements of EU data protection laws, including the forthcoming EU General Data Protection Regulation (GDPR)*, which will supersede the EU Data Protection Directive.
International information security best practice
Implementing an ISMS enables organizations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces.
If you need to comply with ISO 27001 quickly and easily to prove your security measures provide an adequate level of data protection, then IT Governance can help.
Priced from only $659, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.
* Note: EU Regulations are directly applicable laws; EU Directives merely provide guidance for Member States’ own legislation – such as the UK Data Protection Act in the case of the EU Data Protection Directive.