Business Law & Compliance

Published

SMEs are likely to be hit hard by the ECJ’s decision to invalidate the Safe Harbour pact

5 Mins

Data protection law in Europe provides that personal data may not be exported out of Europe unless certain conditions are met. More than 4,000 US companies have so far used the “safe harbour” rules agreed between the European Commission and the US Department of Commerce to transfer such data from Europe to the US for over 15 years.

However, the pact came under scrutiny when Austrian privacy campaigner Max Schrems challenged the implication of the agreement on fundamental rights around privacy – with the ECJ ruling in his favour.

According to Ryan O’Leary, senior director of the Threat Research Centre at WhiteHat Security: “I can tell you that companies saying they take security seriously often have no such security policies in place. There is absolutely no guarantee that these companies are protecting your data and adhering to their own stated policies. In addition, as Edward Snowden revealed, the US has developed many programs to access such protected data in the name of national security with company assistance. 

“However, one of the biggest issues here is that the EU has much stricter user privacy laws then the US. When this data is transferred from the EU to the US it opens up all sorts of issues for EU businesses that need to protect their users’ privacy.”

That the ruling may cause problems has been echoed by several experts. Ami Shpiro, founder and mentor at Innovation Warehouse, is of the belief that while the ruling may be intended to stop the few misusing data, it tars all businesses with the same brush. He explained that startups across Britain are working with data to drive forward new ideas and maintain the UK’s standing as a tech innovator.

Read more about data:

“While the main focus has been on data heavyweights like Facebook the impact of this ruling will be much further reaching,” Sphiro said. 

This was echoed by Mebs Dossa, a partner with McGuireWoods, who claimed that a significant number of SMEs are likely to be hit by the decision to invalidate the Safe Harbour with immediate effect. 

“Many of these bosses may not know that their cloud is located in the US and working under the Safe Harbour framework,” he said. They may also not realise that this ruling will have an impact on them – leaving them on the wrong side of the law and at risk of prosecution and fines.  

“The UK Information Commissioner’s Office may not bang on the door next week to bring non-compliant companies to book; it has stated that it recognises that all businesses will require some time to assess the impact of this decision and make alternative arrangements. However, its patience is not limitless and its hand could be forced by data subjects and businesses should take steps sooner rather than later to find out if they are at risk and options available to them. It may take time to implement alternatives which could leave businesses exposed.”

He suggested that bosses needed to contact their cloud or service providers to find out if they are Safe Harbour registered, and if so, make alternative arrangements. They might need to renegotiate their contracts, or use an alternative legal method of data transfer such as EU model clauses. 

“They should assess the type of data transferred to the US and consider whether it is necessary for all data to be transferred,” he said. “If data does need to be transferred, companies can consider anonymisation and other techniques that would make data transfer compliant.”

Share this story

Secrets to scaling sevenfold revealed by CEO of ecommerce disruptor Depop
How to ensure you’re paying your staff correctly – and avoid heavy penalties
Send this to a friend