On Tuesday, October 6th, the European Court of Justice (ECJ) struck down the U.S.-EU Safe Harbor Agreement. Per the Safe Harbor Agreement, US companies used to be allowed to collect and/or transfer data from the EU by “self-certifying” via the U.S. Department of Commerce that they were compliant with 7 Privacy Principles, in place of being adherent to specific privacy laws in numerous EU countries. The agreement was designed to ease of US organizations to move the personal data of European subjects across to the U.S.
But as of Tuesday, according to the ECJ, the Safe Harbor Agreement (initially approved in 2000) violates the EU’s Data Protection Directive, which forbids the transfer of personal data outside the EU to a country with inadequate privacy protections. The Directive also requires each EU member state to designate at least one Data Protection Authority (DPA) to monitor the application of the Directive within its territory. The Safe Harbor Agreement was becoming a shortcut for American companies to avoid scrutiny by individual DPAs.
The case in which the ECJ made its ruling was sparked by Edward Snowden releasing documents that showed US intelligence agencies mining personal information from the data of U.S. companies. Once the case was referred to the ECJ, it ruled that US companies removing data from the EU can no longer hide behind the Safe Harbor Agreement.
Market Researcher Compliance
Tuesday’s ruling invalidated the Safe Harbor effective immediately, but it’s likely understood that companies will need some time to assess their options and achieve compliance through another means, like avoiding any US-based data hosting or required data access by American organizations.
U.S. companies — including survey, opinion and market researchers — are subject to a number of different DPAs across the EU, each of which will be individually responsible for determining whether the United States’ data protections are “adequate.” This makes removal, access or hosting of EU data to the US far more complicated and perilous. Theoretically, U.S. companies could be subject to fines previously shielded by Safe Harbor.
We are monitoring news about the story as it advances, but for the short-term, it’s important that all research firms that deal in personal information consider the implications of US access to international personal data.