Opinion: Why the global tech industry needs Safe Harbor 2.0
The demise of Safe Harbor may be a victory for privacy advocates but it leaves global tech companies in the lurch. A new version of the deal is needed so that companies can get back to work while improving privacy protections for users around the world.
A Facebook logo is seen in front of the logo of the European Union. An Austrian privacy activist's case against Facebook eventually led to this week's ruling that invalidated the transatlantic data transfer agreement known as Safe Harbor.
Dado Ruvic/Reuters/Illustration
With the highest court in the European Union striking down the transatlantic pact that allowed thousands of organizations to transfer Europeans’ data to the US, the global tech industry is in something of a quandary.
Now European regulators can override the 15-year-old Safe Harbor pact because it exposes Europeans to indiscriminate surveillance by the US government and therefore violated their privacy rights. This has left companies and privacy lawyers scrambling to preserve businesses’ abilities to transfer Europeans’ data to the US before regulators issue fines or orders to suspend the flow of data.
Many consider the court's decision a victory for privacy advocates. But it's also a regulatory nightmare for US corporations – especially those that operate data centers and other services where the information is transferred outside the EU. Tech companies will need to rethink and potentially restructure their approach to data management. And doing that won't come cheap.
In the global tech market, there's no way to get around data privacy laws and regulations. The Safe Harbor decision is actually in line with the EU data regulations set to be ratified next year. So the EU is actually consistent in its application and interpretation of citizens' rights when it comes to free flow and protection of their information.
But in the wake of the court's decision, do we need a Safe Harbor 2.0? Obviously there needs to be something put in place – and it needs to be taken care of soon. You can’t just wipe out 15 years of Safe Harbor and expect businesses to operate as usual.
Tech companies must either comply with data privacy laws and regulations or face stiff penalties. And when it comes to jurisdictions, no two are alike in their regulations, privacy legislation, fraud and breach prevention. Regulations vary and have not been standardized when it comes to protecting data. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud.
Organizations of all sizes will have to better control their data, and be more prepared for what lies ahead. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.
This court's decision on Safe Harbor highlights just how fast regulations are changing. The 2015 Thomson Reuters Cost of Compliance report found that "more than a third of firms spend at least a whole day every week tracking and analyzing regulatory change. Global regulatory change is creating the biggest challenge due to inconsistency, overlap and short time frames."
Safe Harbor may not have been perfect, but removing it without a roadmap for the thousands of companies that are part of the agreement may appear reckless to say the least. Safe Harbor was better than no agreement at all.
But with its demise, the onus is on businesses to establish themselves as trusted guardians of data. If they succeed, they'll benefit commercially. Still, they'll need guidance to ensure they can comply with Europe's toughening stance on data privacy – and for that, let's start working Safe Harbor 2.0 now.
Steve Durbin is managing director of the Information Security Forum. Follow him on Twitter @stevedurbin.