Your operational excellence is our business.
Whatever your business issue, our team of experts is here to help.
And stay connected with ISG by following us on:
By Julien Escribe, Partner
Historically, legislation in the European Union (EU) has protected its citizens’ personal data, giving them the right to be informed of the existence of any personal data immediately concerning them and the right to modify or delete it if they deem it necessary. Because of the looser rules governing personal data protection in the U.S., the Federal Trade Commission and the European Commission came together in 2000 to negotiate and sign the Safe Harbor Decision.
The Safe Harbor Privacy Principles enabled some U.S. companies to comply with privacy laws protecting European Union citizens and allowed a massive transfer of personal information from EU citizens to companies like Facebook.
In 2013, Austrian citizen Maximillian Schrems formed an opposition campaign and lodged a complaint, urging European authorities to review the Safe Harbor Decision in light of Edward Snowden’s exposure of the National Security Agency’s monitoring practices. The European Court of Justice (ECJ) came to the decision that it no longer considers adequate the level of data protection for personal data transferred from the EU to the US, and, in October 2015, the ECJ declared the Safe Harbor Decision invalid.
The French National Commission on IT and Liberty (CNIL), which has issued warnings about the shortcomings of the Safe Harbor for many years, immediately responded to the ECJ decision by stating, “even when the European Commission has ensured the adequacy of protection, national data protection authorities, such as the CNIL, must be allowed to independently assess whether any personal data being transferred to a third-party country meets the requirements of the Directive."
Who is affected? Any company that engages in data exchange with an American company—not just Facebook—will see data transfer procedures tighten. Now that the Safe Harbor provision no longer exists, the CNIL and other data protection authorities will have to be extra diligent about data transfer requests. And data protection authorities may be hit by a sharp increase in the number of files to process.
Companies must prepare for life without the Safe Harbor. Here are the Top 5 ways to get started:
ISG helps companies assess their data protection strategies. Contact me to discuss further.