Safe Harbour ends, so what next?

The difference in the approach to privacy matters between the U.S. and Europe and how to handle the flow of information between them has been a source of growing legal and political problems since the beginning of the global era and the explosion of the internet. The introduction of the Patriot Act in 2001 saw the erosion of US data privacy and has been the catalyst for the situation that we have now in 2015.

Huge changes have recently taken place that affect marketers and anyone who deals with the personal data of customers. They are mostly related to the suspension of the Safe Harbour agreement (2000/520/WE), which allowed European marketers and others to process the personal data of citizens of the European Union that was stored by companies from the United States.

Why was Safe Harbour suspended?

In October 2015, the European Courts issued a ruling in response to a complaint by Austrian citizen Max Schrems (@maxschrems) against the way American-based internet companies processed and stored the personal data of their customers. This decision placed a huge question mark over the future of the movement of transatlantic data.

The term “personal data” was given a legal meaning in the pre-internet era, giving rise to problems related to how to interpret the definition in a rapidly changing technological environment. Safe Harbour had a particular significance for the operation of SaaS services, where users entered their personal data into applications hosted on servers based in the U.S., like CRM and ERP systems and email communications platforms.

I recently invited Lucas Gladki, an attorney in the MyLo law firm, to discuss recent developments related to Safe Harbour and their implications for email marketers.

“Now that we all have access to smartphones, Google, Facebook and other online sources, it’s very easy to take different bits of data, put them together and connect them to a specific person,” says Lucas. “This makes it clear that email addresses are definitely part of any reasonable definition of ‘personal data’”.

What does the suspension of Safe Harbour mean for the market for internet-based services in Europe?

The importance of recognizing the legal obligations that govern the proper handling of personal information must be clear to anyone, including marketers, who deal with personal data.

Currently, each online business segment led by a U.S.-based firm has a strongly positioned European competitor that can easily comply with regulations to ensure the safe storage of data as defined by European law. This could possibly result in the migration of data to firms based in Europe that offer equal functionalities to their American counterparts.

What marketers can expect after the change?

The European Union is currently working on formulating a suitable replacement for Safe Harbour. The new vision of personal data privacy is expected to differ in significant ways from the understanding that was in place until recently.

The attorney emphasised that despite not being widely publicized, the regulations expected after Safe Harbour will provide severe penalties for the improper or inadequate handling of personal data. Potential legal consequences are likely to extend beyond civil responsibility to criminal penalties and violations of administrative law. Foremost among them will be heavy fines that are intended to impose serious consequences on anyone who fails to adequately follow the rules regarding the safekeeping of personal data.

It is quite difficult to quickly implement changes to deal with new procedures governing the protection of personal data and that’s why we should all prepare for organizational and technological updates that will need to be made.

How should marketers deal with the changes?

According to the lawyers in most EU jurisdictions, entering into a standard Data Transfer Agreement based on the Standard Contractual Clauses issued by the European Commission will be sufficient to ensure the correct handling and processing of personal data. Some countries may require the Agreement to be supplemented by the consent of the relevant local data protection authorities. Binding Corporate Rules (BCR’s) remain in place. If this is still not enough, then asking for and obtaining consent from the user is a final option that will satisfy all legal demands.