Modern field guide to security and privacy
Dado Ruvic/Reuters/Illustration
A Facebook logo is seen in front of the logo of the European Union. An Austrian privacy activist's case against Facebook eventually led to this week's ruling that invalidated the transatlantic data transfer agreement known as Safe Harbor.

Opinion: Why the global tech industry needs Safe Harbor 2.0

The demise of Safe Harbor may be a victory for privacy advocates but it leaves global tech companies in the lurch. A new version of the deal is needed so that companies can get back to work while improving privacy protections for users around the world. 


With the highest court in the European Union striking down the transatlantic pact that allowed thousands of organizations to transfer Europeans’ data to the US, the global tech industry is in something of a quandary.

Now European regulators can override the 15-year-old Safe Harbor pact because it exposes Europeans to indiscriminate surveillance by the US government and therefore violated their privacy rights. This has left companies and privacy lawyers scrambling to preserve businesses’ abilities to transfer Europeans’ data to the US before regulators issue fines or orders to suspend the flow of data.

Many consider the court's decision a victory for privacy advocates. But it's also a regulatory nightmare for US corporations – especially those that operate data centers and other services where the information is transferred outside the EU. Tech companies will need to rethink and potentially restructure their approach to data management. And doing that won't come cheap.

In the global tech market, there's no way to get around data privacy laws and regulations. The Safe Harbor decision is actually in line with the EU data regulations set to be ratified next year. So the EU is actually consistent in its application and interpretation of citizens' rights when it comes to free flow and protection of their information.

But in the wake of the court's decision, do we need a Safe Harbor 2.0? Obviously there needs to be something put in place – and it needs to be taken care of soon. You can’t just wipe out 15 years of Safe Harbor and expect businesses to operate as usual.

Tech companies must either comply with data privacy laws and regulations or face stiff penalties. And when it comes to jurisdictions, no two are alike in their regulations, privacy legislation, fraud and breach prevention. Regulations vary and have not been standardized when it comes to protecting data. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud.

Organizations of all sizes will have to better control their data, and be more prepared for what lies ahead. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.

This court's decision on Safe Harbor highlights just how fast regulations are changing. The 2015 Thomson Reuters Cost of Compliance report found that "more than a third of firms spend at least a whole day every week tracking and analyzing regulatory change. Global regulatory change is creating the biggest challenge due to inconsistency, overlap and short time frames."

Safe Harbor may not have been perfect, but removing it without a roadmap for the thousands of companies that are part of the agreement may appear reckless to say the least. Safe Harbor was better than no agreement at all. 

But with its demise, the onus is on businesses to establish themselves as trusted guardians of data. If they succeed, they'll benefit commercially. Still, they'll need guidance to ensure they can comply with Europe's toughening stance on data privacy – and for that, let's start working Safe Harbor 2.0 now.

Steve Durbin is managing director of the Information Security Forum. Follow him on Twitter @stevedurbin.


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Why the global tech industry needs Safe Harbor 2.0
Read this article in
QR Code to Subscription page
Start your subscription today