In early October, the EU Court of Justice invalidated the US “Safe Harbor” agreement regarding Transatlantic transfer of EU user data. It is the responsibility of national authorities of EU member states to ensure that the country-recipient of transferred data can guarantee that it will protect users’ privacy in line with the EU privacy legislation. However, the Snowden revelations of 2013 cast reasonable doubt on sufficient user data protection within the United States, when it comes to cases of national security, law enforcement and public interest. The transatlantic “safe harbor” agreement appeared to be inefficient against violations of the fundamental human right for private life and judicial protection of EU citizens.
The Safe Harbor Decision was questioned two years ago by an Austrian campaigner for privacy, Maximillian Schrems, who pointed out that Facebook personal data stored on servers in the US does not comply with EU privacy protection laws. With the safe harbor agreement annulled, large US-based companies like Google, Facebook, Apple, Microsoft are forced to introduce new clauses in their contracts and prove that their data protection is compliant with the EU laws, while a new working framework for transatlantic data transfer is being developed.
Same will apply to smaller enterprises and startups, and it is necessary as ever that these companies disclosed the country hosting the servers of their cloud supplier, in order to allow their customers to make informed decisions. While the new framework for Transatlantic data exchange is being produced, European companies are putting on hold their contracts with some popular software providers that do not have available data centers located in Europe.
Such email marketing providers as MailChimp and Campaign Monitor, for example, have already received customers’ queries regarding the invalidation of safe harbor regulation and published replies on their websites regarding the effect this will have on their European users. It appears that many corporate clients are forced to temporarily suspend their services with email marketing providers that have their servers located within the US. In search of alternatives, clients should search for Europe-based providers that do not require transatlantic data transfer. MoonMail, for example, is a European email marketing software based on Amazon Simple Email Service that allows you to choose a server location closest to your application, with available data centers within the European Union.
The decision from the Court of Justice regarding “Safe Harbor” agreement does not really come as big surprise. In recent years, the European Union has made several steps that showed its disagreement with the way US legislation handles data protection. In May 2014, the European Court of Justice ruled out in favor of the “Right to Be Forgotten”, according to which European citizens have the right to demand elimination of their personal and sensitive data from search engine results, if this information is inaccurate, inadequate, irrelevant or excessive. In this case, the burden of proof lies on the company, not the customer, to show that the data in question is, in fact, relevant and adequate, and cannot be deleted.
There is no doubt that an alternative safe harbor agreement will be introduced in the future, but meanwhile, all European companies are advised to ensure that their customer data protection cannot be compromised.