European court rules Safe Harbor structure between U.S., Europe invalid
The European Court of Justice in Luxembourgh recently ruled that the “Safe Harbor” structure between the United States and the European Union (EU) is invalid.
Safe Harbor was the means by which U.S.-based firms could get a blanket approval regarding the movement of personal data, including human resources data, between the U.S. and EU member countries.
The decision is a direct result of the considerable suspicion of the global community regarding the extent of U.S. government surveillance of personal information (via the Patriot Act and others).
The U.S.’s National Security Agency (NSA) has taken the position that non-U.S. citizens have no rights regarding an expectation of privacy.
Further, United States law requires that U.S.-based organizations comply with surveillance orders — so the concept of data privacy becomes almost moot.
This concern with the U.S. government’s privacy intrusions also exists within the U.S. One major company, for example, is refusing to consider cloud or software service software solutions (for human resources and other functions), not because it doesn’t see the value of the technology, but because only by having its own data on its own internal servers can it be sure to know when the U.S. government is looking at its data.
If that data was held for the company by a third party prohibited from informing the company of the government’s interest, it would be completely unaware of the data leakage.
Unlike the United States, which has no federal privacy law (a source of serious concern to many organizations), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been considered adequate to protect personal privacy and an agreement similar to Safe Harbor has been unnecessary.
But the Canadian Communications Security Establishment (CSE) — the lesser-known of Canada’s two spy agencies, which focuses on electronic surveillance — may give rise to concern as well.
The Canadian Anti-Terrorism Act gave CSE expanded use of electronic surveillance, authorizing it to intercept foreign communications that begin or end domestically, as long as one party is outside Canada.
CSE shares information with intelligence agencies in the so-called “Five Eyes” group of countries — namely the U.S., United Kingdom, Australia, New Zealand and Canada.
As a result of the Safe Harbor decision, each European country is now free to apply its own regulations for organizations that move personal data to the United States, including the right to suspend personal data transfer to the U.S., possibly forcing organizations to host personal data exclusively within Europe.
This reflects the chaotic situation that existed prior to the establishment of Safe Harbor in 2000. At the very least, there will be enormous uncertainty surrounding global data management.
Many organizations will try to adopt model clauses that reflect binding corporate rules of data management, but the immediate fear is the time and effort that will be required to obtain approvals by every European Union country where a company wishes to do business.
Alternatively, the United States could negotiate a revised agreement that finds acceptance in the EU.
It has been suggested that individual consent for data transfers may survive this decision, but that option is the most administratively burdensome, in part because it can be revocable and because adequate tools to manage that process are in very short supply.
Supporters of the Safe Harbor concept see this as an extremely significant decision that will make the global management of organizations very difficult and far more costly and time-consuming.
And it strikes a major blow against organizations that try to consolidate data into an effective and efficient single database (look out, big data).
Safe Harbor opponents see this as an opportunity for the world to establish a stronger and more effective data privacy model focusing on the rights of the individual.
Time will tell which view is more accurate.
Ian Turnbull is managing director of Laird & Greer Management Group in Toronto, specializing in human resources, payroll and time system selection and management. He is also the author of the HR Manager’s Guide to Managing Information Systems (Carswell 2014). The author gratefully acknowledges the early reporting of Jon Neiditz of Kilpatrick Townsend & Stockton of Atlanta, Ga.