The Court of Justice of the European Union has just declared the ‘Safe Harbour’ arrangement, governing the transfer of EU citizens’ personal data to the United States, to be invalid.
What is the impact of this decision for European marketers, and what does the Safe Harbour agreement cover?
First, let us recap what is covered by the Safe Harbour. For many years, the EU has provided a regulatory framework for the processing of personal data. A European directive obliges Member States to include in their national law provisions to ensure that the processing of European citizens’ personal data is covered by various notifications and precautions. Companies processing EU citizens’ data are supposed to apply these rules. By contrast, no such laws providing the same level of data protection exist in the United States. The directive stipulates that European citizens’ data can only be transferred to non-EU countries that lack a sufficient level of protection after the person concerned has been informed and given his or her consent.
Fearing that these rules might hinder economic exchanges between Europe and the United States, the European Commission set up the Safe Harbour agreement. Under it, member companies located in the United States agree to comply on a voluntary basis with the principles included in the directive. Transfers by such companies are therefore allowed even without the consent of the persons concerned.
This useful mechanism recently encountered a serious obstacle. Following a complaint made by an Austrian student against Facebook (which has a reputation for not being over-concerned about the protection of personal data), an Irish court referred to the Court of Justice of the European Union the question whether, despite the Safe Harbour agreement, it could rule on the validity of certain data transfers. In response, the Court issued a landmark ruling on Tuesday 6 October: it simply ruled the Safe Harbour agreement to be invalid.
The main argument used by the Court is that the general surveillance rules established by the US National Security Agency (NSA) are inconsistent with the protection principles upheld by the European Directive, as American companies cannot reject personal data transfer requests made by the NSA.
The consequences for companies processing data in the United States are enormous. They can no longer invoke the principles of the Safe Harbour. They must therefore obtain an authorisation from each EU citizen whose data they intend to process in the United States. Given that nearly 4,000 companies use this scheme, the impact of the European Court of Justice decision can be imagined.
Where does this leave European marketers?
In a world where most of the tools used by marketers are today provided in SaaS mode, the question is worth asking. These tools involve the transfer of consumer data to remote servers. The geographical location both of the head office of the company providing the services and of its servers will therefore be crucial for determining whether the ruling regarding the Safe Harbour agreement affects their activity.
ACTITO is a European company whose shareholders are European. Our servers are located in Belgium. We do not transfer data outside the EU. The suspension of the Safe Harbour arrangement therefore does not affect our customers.
However, if you use the services of a SaaS supplier whose headquarters or servers are located outside the EU, you are exposed to a risk which is best assessed on a case-by-case basis. It is advisable in such cases to obtain the consent of each person involved in the processing of data to the transfer of that data to a country outside the EU. Clearly, this is no easy matter, especially with regard to persons whose data has already been transferred outside the EU.
Do contact us if you have any questions.