The End of the Safe Harbor. Are You Ready for the Future?


Historically, legislation in the European Union (EU) has protected its citizens’ personal data, giving them the right to be informed of the existence of any personal data immediately concerning them and the right to modify or delete it if they deem it necessary. Because of the looser rules governing personal data protection in the U.S., the Federal Trade Commission and the European Commission came together in 2000 to negotiate and sign the Safe Harbor Decision.

The Safe Harbor Privacy Principles enabled some U.S. companies to comply with privacy laws protecting European Union citizens and allowed a massive transfer of personal information from EU citizens to companies like Facebook.

In 2013, Austrian citizen Maximillian Schrems formed an opposition campaign and lodged a complaint, urging European authorities to review the Safe Harbor Decision in light of Edward Snowden’s exposure of the National Security Agency’s monitoring practices. The European Court of Justice (ECJ) came to the decision that it no longer considers adequate the level of data protection for personal data transferred from the EU to the US, and, in October 2015, the ECJ declared the Safe Harbor Decision invalid.

The French National Commission on IT and Liberty (CNIL), which has issued warnings about the shortcomings of the Safe Harbor for many years, immediately responded to the ECJ decision by stating, “even when the European Commission has ensured the adequacy of protection, national data protection authorities, such as the CNIL, must be allowed to independently assess whether any personal data being transferred to a third-party country meets the requirements of the Directive.”

Who is affected? Any company that engages in data exchange with an American company—not just Facebook—will see data transfer procedures tighten. Now that the Safe Harbor provision no longer exists, the CNIL and other data protection authorities will have to be extra diligent about data transfer requests. And data protection authorities may be hit by a sharp increase in the number of files to process.

Companies must prepare for life without the Safe Harbor. Here are the Top 5 ways to get started:

1. Conduct an inventory of any data exchanges that were “secured” by the Safe Harbor. This is the #1 way to assess the actual level of risk to which you are exposed. It will also give you an initial analysis of the potential impacts the change will have on your operations.

2. Investigate whether your service providers pose a risk to your company. If you engage with any service provider based in the U.S. and sheltered by the Safe Harbor, carefully examine the outsourcing contract to understand what types of data transfer or access gaps are at stake.

3. Replace Safe Harbor protection with Binding Corporate Rules (BCR). These are internal rules of business that offer adequate levels of protection for personal data processed outside the EU. When data are validated by any one Data Protection Authority from the 28 European countries, they are considered valid by all 28 countries.

4. Plan and carryout a communication campaign for clients, service providers and employees.This is to ensure that all parties are aware of the ECJ decision, its implications for your firm and any ensuing changes to contracts and policies.

5. Involve your legal department in the process from day one, and use a third party if there is any doubt. These topics are complex. An expert opinion – supported by a strong legal practice – will help you make the right moves for your company.

ISG helps companies assess their data protection strategies. Contact us to discuss further.

About the author

Julien leads ISG’s digital practice in the South Europe and Middle East Region. Having been involved in more than 80 successful engagements in IT performance assessment and sourcing strategy, Julien brings his clients long-term experience and insight that draws from working with ten of ISG’s largest global clients. His tight focus on achieving business objectives makes him a trusted partner clients can rely on to deliver expert guidance and measurable bottom-line results. Julien has recently led a digital transformation strategy for IT, a hybrid-cloud computing solution design and a big data benchmark for major European corporations. He is fluent in French, English, and Italian.