The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce. Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations). Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid. This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor. Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.
In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action. Approximately one third of all data transfers of personal information is between the U.S. and the EU. The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints. The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.
Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.
Don’t be left behind and leave your company exposed.