Gartner Blog Network


Loss of Safe Harbor creates regulatory fragmentation but EU-US data transfers continue

by Earl Perkins  |  October 6, 2015  |  5 Comments

I would like to introduce you to my colleague and friend Carsten Casper, who has been following today’s announcement from the European Union Commission regarding Safe Harbor. He believed this was an important event for our clients and wanted to provide some immediate comments and analysis on the topic. This coincides with another colleague of mine, Jay Heiser, who is also providing insight via his blog. Please take the time to read below– it is enlightening. Thank you!

———————————————————————————————————————————————————————————

Written by: Carsten Casper, Managing Vice President, Digital Workplace Security

The European Court of Justice (ECJ) ruled on October 6, 2015 that the EU Commission decision known as Safe Harbor is invalid. In practical terms, this means that 28 different EU data protection agencies can now decide whether or not a particular company’s data transfer arrangement between the EU and the US is legal. The full text of the ECJ ruling is available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf .

This is only the latest in a series of developments about privacy differences between the EU and the US, which also includes the umbrella data protection agreement (see http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm) for law enforcement collaboration, the US attempt to access a Microsoft email account in Ireland (see http://www.bloomberg.com/news/articles/2015-09-09/microsoft-argues-for-data-security-in-landmark-court-appeal) and the upcoming EU General Data Protection Regulation (see http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm) with its potential extraterritorial scope.

The immediate result is uncertainty in the market.

The course of action for companies depends on various factors, especially the type of personal data being processed, whether it’s employee or customer data, and the countries in which a company operates. Since there are various legal options and implications and Gartner does not give legal advice, companies should seek information from qualified legal counsel, such as Hogan Lovells, DLA Piper, Hunton & Williams, Latham & Watkins, White & Case. A good overview of possible actions is provided at http://www.dataprotectionreport.com/2015/10/day-after-safe-harbor-action-plan-anticipating-ecj-schrems-decision/ .

• Companies need to obtain legal advice, but should also consider that this is a new situation for the legal profession, including the various EU data protection authorities (DPAs).

• Replace Safe Harbor with EU Standard Model Contracts (mid-term), Binding Corporate Rules (long-term) or consider free explicit individual consent for data transfers (not scalable) or other derogations (narrow scope). As of Oct 6th, 2015 a total of 4465 companies have current Safe Harbor certifications (not expired, see https://safeharbor.export.gov/list.aspx ), 76 companies use Binding Corporate Rules (list at http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm ) and tens of thousands of companies use standard model contracts (no registry available).

• Don’t think you’re off the hook if you don’t use Safe Harbor for international transfers of personal data. DPAs will feel encouraged to also evaluate model contracts and transfers to countries with recognized adequate protection – which are also based on EU Commission decisions.

• Strengthen your collaboration with data protection authorities in some countries, especially Germany, France, Spain, Italy, Poland as they will now (want to) have a greater say on international transfers.

• The ECJ ruling will have a financial impact in various ways. IT providers will feel (even more) inclined to host processing of personal data in Europe, requiring additional data center capacity. EU companies will favor data storage in Europe, potentially (having to) paying a higher price. Both parties will pay additional legal fees for new contracts, agreements and advice. EU data protection authorities need additional staff to review complaints of EU citizens.

Key Findings

• It has been clear for years that Safe Harbor is a weak mechanism. Those relying on it knew they took a risk.
• The political implications (long negotiations) are incompatible with the need for IT and business decision makers to take action (short term).
• Businesses are more concerned about fragmented compliance in Europe, less about having to stop transfers to the US.

Recommendations
• Start or continue using standard contractual clauses, although even these might come under scrutiny.
• Differentiate by use case. Large volumes of consumer records need to be addressed first.
• Move personal data processing to the EU only if there is a clear business case, including actual (not just potential) fines or lost revenue due to lost customers.
• Focus compliance on big EU countries like Germany, France while waiting for new EU-wide agreements for transfers to the US, law enforcement collaboration or general data protection.

Category: cybersecurity  data-security  it-governance  privacy  regulation  security  trends-predictions  

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio


Thoughts on Loss of Safe Harbor creates regulatory fragmentation but EU-US data transfers continue


  1. Are there any impacts on the power and utilities or medical industry software in the EU and the USA?

    Michael Adeeko
    DL2C(ColorCodeIT)-Cool Vendor May 2012

  2. Anon says:

    The links are missing in the blog. Could you please provide these (search for “here” and you find where the links are missing).

  3. John Bartho says:

    Thoughts on Loss of Safe Harbor — the links noted within are missing and request these be added/updated.

  4. Earl Perkins says:

    Re: Michael’s question: Yes, if they used Safe Harbor to transfer personal data from the EU to the US, then they will need to change that– the methods used to do that change will vary.

  5. Earl Perkins says:

    For John and ‘Anon’, I have recopied Carsten’s blog and keeping the references– accept my apology for missing that. Thank you for pointing it out.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.