Safe Harbour was developed as an agreement between the EU and US. The EU has some of the toughest data privacy laws on the planet, in addition to a huge and affluent market.
In order for US technology and communication companies to get a foothold into this market, Safe Harbour was a guarantee by the US firms that they would match the EU’s standards. So if the data of EU people was held in the US, their data would be safe, secure and kept private in accordance with EU law.
This worked fine for more than a decade.
The problem for Safe Harbour emerged when Edward Snowden blew the whistle on the NSA and Prism, and the industrial-scale surveillance they carry out. If NSA and Prism allow the US government to access their data at any time, this is in clear breach of the EU rules.
The judgement earlier this week by the European Court of Justice (ECJ) made this clear – Safe Harbour was invalid.
For data already transferred to the US before the judgment, don’t worry.
But if you are running campaigns today and use companies like, let’s say, Google, Facebook, Twitter, MailChimp, Salesforce, Tableu, and dozens of others; or if you work at or for a multinational, then any new transfer of data on EU customers to the US is technically illegal and a breach of the data protection regulations.
Such restrictions could make your job a little harder today, you might think.
We suggest you don’t panic. Yes, your campaigns may be in technical breach of the regulations today, but it’s reasonable to give time for companies to adapt.
In fact, the Information Commissioner’s Office has given some guidance already. David Smith, their deputy commissioner, said: "The judgment means that businesses that use Safe Harbour will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this."
The ICO will issue new guidance in the coming weeks and months, so while it’s not necessary to do anything yet, it’s a very good idea to start looking at alternatives, work arounds and processes that are not illegal.
Among all this sudden shower of uncertainty, there may be some cover.
A set of negotiations are already underway between the US and EU, known at the moment simply as "Umbrella agreement". These negotiations are making good progress and cover law enforcement and a few other topics. In its judgement, the ECJ makes clear it was aware of these negotiations, which could be the basis for ‘Safe Harbour 2’ and may well accelerate now the original Safe Harbour is invalid.
These Umbrella agreement negotiations started back in 2013 once the implications of the Snowden files became clear, so while the ECJ judgement might be a shock, the Eurocrats are definitely thinking and talking about the next step.
But in the meantime, start thinking about how your EU data might be used legally, in case that umbrella has holes.
James Milligan is a solicitor for the Direct Marketing Association