Earlier this month the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor Framework which previously provided U.S. companies comfort in that they could follow the framework and know they were not violating the more strenuous E.U. personal data privacy laws. The scrapping of the Safe Harbor is a result of recent Snowden revelations about the U.S. data collection efforts in the E.U.
Created in 2000, the Framework allowed for the lawful transfer of European citizens’ personal data to the U.S. Without it, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list. For a good description of the ruling, go here.
I’m not Facebook or a cloud storage company, so why do I care?
Data transfers have not come to an immediate hault. Likewise, trans-Atlantic trade has not stopped. But, you may not realize you transfer the personal data of E.U. citizens and need to be prepared. Certainly, if you previously relied upon the safe harbor, you need to make some changes.
Do you take orders from E.U. customers? Do you have subsidiaries in the E.U., but process the H.R. functions here? Do you host the company email here that includes email accounts of E.U. citizens? Do you store information from E.U. citizens? You can see how easily you can become susceptible to possible data transfers of personal information of E.U. citizens.
So what do I do?
Because the ruling is so new, a lot of people are still trying to figure out what exactly this means. Some suggested actions include: