Do you use Mailchimp to 'Send Better Email', NationBuilder to 'Create More Action', Marketo to put 'Marketing First' or GMail your 'Business Email'? If so then a European Court of Justice ruling earlier this month, might mean you need to rethink your data management strategy and could potentially mean you have to change platforms.
Feeling relieved because you don't use any of the service providers listed? Don't worry, they're just a few examples, the tip of an iceberg - the ruling covers any US based company who could access your customers personal data. So potentially, that's your ticketing supplier, CRM (e.g. Salesforce), hosting platform (e.g. Pantheon), social platforms (e.g. Facebook, Twitter etc etc) and on and on and on. Basically any company operating out of the USA. In short, this ruling applies if you're an EEA (European Economic Area) based company and you're using any service provider to store any kind of identifiable personal data about your users, with any part of their data management infrastructure within the USA (irrespective of whether they physically share overseas data with that USA based infrastructure). The same rules (as part of the Data Protection Act) also apply if any of your data is shared outside of the EEA; the recent judgment just amends the 'deal' with US companies.
Sounds BIG? It is - in theory a large part of most EU citizens entire digital world is now at some level acting 'illegally' - but there's no definitive answer as to what is going to happen let alone what you (as an organisation) might have to do. As with most of technology, theory is out of step with reality allowing a gap to develop between them so that comment and interpretation (in equal measure scare-mongering and calming) is filling the gap.
Throw in inter-continental political jockeying and it's a recipe for confusion. It's a hugely important issue that at the same time is one that you don't need (or perhaps even can't) do much about (yet) beyond getting up to speed with what's going on, reviewing your platforms and data management procedures and understanding what impact any 'answers' might bring.
What is the 'Safe Harbor' agreement?
The European Commission has for many years had a formalised system of privacy legislation for individuals, which is regarded as more rigorous than that found in many other areas of the world, including, most notably, the USA.
To help protect the privacy of EEA citizens, companies operating in the EC are not allowed to transfer personal data to countries outside the European Economic Area unless the company involved guarantee adequate levels of protection to the individuals whose data is being shared. In 2000, the EC recognised that The Safe Harbor agreement offered adequate protection: as long as a company in the US was a Safe Harbor signatory, personal data about EEA citizens could be shared.
In short, Safe Harbor was a process used by US companies to comply with the European protection of personal data act. It is name-checked in the Information Commissioners Office's Guide to Data Protection (Principle 8).
So far so good. If you were an EEA based company (and for the moment at least, that includes UK companies) the directive made it possible for you/ your company to use US services for some or even all of your digital activities - for example the sending of campaigns via Mailchimp or the storage of personal data (name, address, purchase history, site tracking activity) on Pantheon's US-based hosting network or Salesforce's cloud based CRM platform. Personally we could all continue to use Facebook, the plethora of Google services and Twitter to our hearts content and be (ahem) safe in the knowledge that it was all fine and dandy. Everyone relaxes and there's another sigh of relief all round.
Except it isn't and to many it never was, as simple as that.
What's changed?
In a landmark ruling earlier this month, the European Court of Justice (ECJ) struck down the Safe Harbour arrangements with the US because it has concerns it gives American intelligence agencies (think NSA, Prism) access to European citizens’ data.
The background to the case behind the ruling is fascinating in itself. Following Edward Snowden's revelations about the extent of US intelligence agency activities, an Austrian student requested the that Irish data commissioner to investigate whether his Facebook (who's European HQ is in Dublin) data was adequately protected from spying by the NSA and Prism once transferred to the US. The ECJ was now ruled that there is not sufficient protection - likely because companies can self-certify and sign up to Safe Harbor. But it's not just big tech firms such as Facebook, Google and Twitter that are affected by the ruling, it's ANY US based service and therefore by extension that could be you if you're using any of these services. A full list of companies signed up to Safe Harbor and their current certifcation status is available here (make sure to search for the full company name - for example, Mailchimp is part of The Rocket Science Group and therefore listed under T).
Instead of signing up to Safe Harbor, companies will be required to create 'model contract clauses' instead which will need to be signed off
The problem potentially extends further - the US government now considers and treats any data on computers of US-owned companies anywhere in the world as 'fair game for examination'. So now we're not just talking about US-based services such as Mailchimp and Pantheon (with their data-centres actually in the US) but moreover, it would also include US companies using overseas data centres such as Amazon's AWS cloud service based in Ireland and US based Engaging Networks even though their servers are located in Canada.
What do you need to do?
In the words of one of our clients 'this ruling is huge' because with our cloud based world it's hard to see where might NOT be affected. The nature of cloud systems is that data is transferred promiscuously so as to create resilience and speed up access elsewhere (both of which we'd consider to be legitimate reasons to adopt cloud based platforms). So it's clear to see why many have said for a long while that Safe Harbour was flawed in principle and flawed in practice.
Firstly, as with most things, there's no need to panic.
Whilst it doesn't look like there's a grace period (so in theory you have to stop using the services now) the European Commission seems to be less fazed about the court's decision. The view is that the Commission considers the ruling to put it in a stronger position in the continuing negotiations with US authorities.
However, there's no clear indication of how long or even successful these negotiations might be.
As such, if you are EEA based or have EEA-based users (who you are storing data on) it would seem prudent to review the services you are using and what their status is at present. First up review your data infrastructure and service providers (subscriber, member, campaigning, fundraising, email services and other online platforms - perhaps including gmail and social networks) and see which parts are potentially affected. At the same time it might be sensible to start thinking about viable alternative services.
You could also encourage relevant providers to respond - it's interesting to see some providers, such as Marketo, already try to be on the front-foot about this issue. Meanwhile others, such as Salesforce, are still peddling a spiel of legalese and verbal ectoplasm. Some media outlets are even trying to make mileage out of it by suggesting that mass exodus' are already underway.
There's a lot to this issue, potentially a lot riding on it and a lot of eyes watching it and whilst 'something will be done' this isn't going to go away any time soon. The EC has outlined is priorities in dealing with this change in policy and they have also been negotiating improvements to the safe harbor agreement for the past two years, since NSA revelations. You'd be well advised to get up to speed. g
And if you think the potential exploitation of EEA data by US intelligence sounds eerily familiar, then you've probably been watching Homeland....
Further Reading:
- 'Safe harbour' ruling illustrates growing chasm between US and EU - The Guardian
- Europe’s highest court strikes down Safe Harbor data sharing between EU, US - Ars Technica
- No need to panic: European Commission upbeat about Safe Harbor ruling - PC World
- The real impact of the Safe Harbor ruling - Venture Beat
- European Commission Recommends Changes to Safe Harbor - Hunton & Williams (2013)
- US Government Guidance on Safe Harbor
- Facebook case may force European firms to change data storage practices - The Guardian
- Full list of companies signed up to Safe Harbor
- ICO Guide to Data Protection
Updates:
We published a follow up article to this in March 2016 called 'Goodbye Safe Harbour - Hello Privacy Shield' and we also have an up to date list of all of our privacy related blog posts in chronological order.