What The EU-US Safe Harbor Is All About And How It May Affect Your Business

Learn what the EU-US Safe Harbor Agreement is all about and how it might affect your business.

  1. Blog


As of this writing, the United States and European Union are in the thick of negotiations for a new Safe Harbor agreement. The result can have a profound impact on thousands of global businesses. In this post, we introduce you to the original Safe Harbor, how it came about, why it's been recently invalidated, and the possible impacts its future holds for a large number of businesses.


What went before

In 1995, the European Union (EU) adopted Directive 95/46/EC a.k.a. the Data Protection Directive, a data privacy law governing the processing of personal data. This directive eventually formed the basis of data privacy legislations enacted by EU member states and the other countries that belonged to the European Economic Area (EEA).

One of the main provisions of these laws prohibited the transfer of personal information from the EEA to other countries in the globe if those countries lacked legislation that provided adequate protection to data privacy.

Unfortunately, the data protection laws in the US didn't meet what the directive defined as adequate levels of protection. This therefore became a major obstacle for companies in the US and in the EEA who relied heavily on data exchanges for business operations. And so, in order to allow these transatlantic data flows (and commerce) to continue, the EU and the US tried to come up with legal solutions.

One relatively simple solution was the Safe Harbor agreement.

EU-US Safe Harbor in a nutshell

The EU-US Safe Harbor is by no means the only legal solution for moving personal data to the US. Companies may enter into standard contractual clauses, seek approval for binding corporate rules (BCRs), or ask consent from the data subject.

The problem with these other options is that they're significantly more tedious, complicated, and can take a great deal of time to accomplish. The processing of a BCR, for instance, which is really suited for large multinationals, can consume several months.

By contrast, the Safe Harbor was way easier - which is the reason why most businesses preferred it and sadly are now considerably affected by its demise.

Here's how the Safe Harbor worked.

Businesses who wished to transfer data across the pond simply had to publicly self-certify compliance with 7 Safe Harbor Privacy Principles involving the following areas: notice, choice, onward transfer, security, data integrity, access, and enforcement. Self-certification basically meant the company promised to provide adequate data protection in line with Data Protection Directive standards.

Those who had self-certified were added to a list on a Department of Commerce website. They were then required to self-certify as well as pay an annual fee of $100 every year in order to continue transferring data. Over 4,500 companies eventually signed up for Safe Harbor and self-certified.

Because there was no regulatory body for Safe Harbor, it was prone to abuse. It turned out that some of those who self-certified weren't really serious in implementing data protection. Of course, those who were found guilty of deceptive practices were subjected to enforcement action by the Federal Trade Commission.

Nevertheless, some sectors in the EU saw the loopholes and started calling for a better alternative. While the clamor for an alternative grew, it wan't strong enough to topple the then existing arrangement.

But then a couple of things happened.

The road to invalidation

In 2013, Edward Snowden's revelations about the National Security Agancy's surveillance practices shook the privacy world. Consequently, it took the conversation against Safe Harbor to a whole new level. But it didn't end there.

On the basis of the Snowden revelations, privacy activist Max Schrems filed a complaint against Facebook. In his complaint, Schrems alleged that, in light of the revelations, it was clear that his personal data, which were processed from Facebook's Irish subsidiary servers to US-based servers, were no longer given the adequate protection prescribed by the Safe Harbor.

The complaint was filed at the High Court of Ireland, who in turn referred the case to the European Court of Justice (ECJ). Alas, in October 2015, the ECJ ruled that, in light of the latest developments, Safe Harbor no longer provided adequate protection and was therefore considered invalid. You can read the full court judgement here.

Its impact on data flow and businesses in general

The invalidation of Safe Harbor has huge implications on transatlantic data flows and commerce in general. As mentioned earlier, 4,500+ rely on the Safe Harbor framework for moving data from the EEA to the US. These companies are naturally directly affected by the invalidation.

But they're not the only ones affected. Thousands of other businesses who transact with these 4,500+ companies are likewise affected. And as you can imagine, this can lead to a domino effect in several industries.

We live in an age where businesses are highly dependent not only on data itself but also on the seamless flow of data. Major hindrances to the data flow like what's happening now can result in opportunity and actual monetary losses.

If your business directly or indirectly relies on Safe Harbor, you may have to seek temporary shelter in the other legal options for moving data until EU and US negotiators arrive at a new Safe Harbor framework.