Safe Harbour Agreement 101
We get asked by clients a lot about the Safe Harbour Agreement. As we work with so many EU programmes/public entities/companies based in Europe we also find ourselves needing to make sure third party products and services we recommend are either based in the EU or have signed the agreement. And we get questioned about it. A lot.
We’ll be blogging on the quests for some of these tools over the coming weeks but first we thought it would be good to go back to basics - what is the Safe Harbor Agreement, why does it matter and why should you care?
The basics - What are European Personal Data Privacy rules?
In the mid 1990s, the EU wanted to ensure that there was a harmonisation of laws in all Member States towards personal data protection. After negotiations on a new directive and its entry into force in 1995, all Member States of the European Union had to ensure that Directive 95/46/EC was transposed into their own legal framework by the end of October 1998. This directive was then amended in 2003 by Regulation (EC) 1882/2003.
Both of these cover both private and public organisations/companies which operate within an EU Member State; as well as that it covers all data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non automated filing systems (traditional paper files). Essentially, it says what information may be stored legally, for what purpose and how it may be stored. It also covers the data subject’s rights to asking to see the data, data accuracy, deletion etc. And that subject’s right to judicial remedy.
The EU’s ‘Adequacy’ Test
If you are a public or private organisation/body/entity within the EU and you collect personal data you are not allowed to transfer data outside of the EU unless that nation has been deemed by the EU to have ‘Adequate’ data protection law. To simplify a longer dispute into a sentence: the United States was not deemed to have adequate laws. (Besides the Safe Harbour Agreement, it’s an interesting law to follow to see the differences in the concept, idea and legal right to privacy between Europe and the USA.)
Granting Safe Harbour
In 2000, after a series of negotiations the Safe Harbour Agreement, the US-EU reached an agreement that individual American companies could meet the ‘adequacy’ test by signing up to the ‘Safe Harbour Privacy Agreement’. Information on the agreement states:
In response to the European Commission Directive on Data Protection that could interrupt transfers of personal information from Europe to countries whose privacy practices are not deemed “adequate,” the U.S. Department of Commerce and the European Commission have developed a “safe harbor” framework that will allow U.S. organizations to satisfy the European Directive’s requirements and ensure that personal data flows to the United States are not interrupted. On July 27, 2000, the European Commission issued its decision in accordance with Article 25.6 of the Directive that the Safe Harbor Privacy Principles provide adequate protection. The safe harbor framework bridges the differences between the EU and U.S. approaches to privacy protection and ensures adequate protection for EU citizen’s personal information.
To understand the impact of this you need to look at the word ‘transfer’. For us, day to day, our work is made more difficult as this can mean ‘storing on a server’. For example, your contact database is stored on an Amazon Server in US East (Northern Virginia)*. You are transferring data outside of the EU (note! both Amazon and Google have signed!). If you want to use an external tool which in any way means you are accessing/processing/storing personal data you need to make sure that either (a) that data is stored in Europe (b) it is stored in a nation which has met the EU’s adequacy test and (c) if it is based in the United States (as many of the cool tools we love are!) the company has signed up to the Safe Harbour Agreement.
As a company we can seem overly enthusiastic about European companies (our recent reaction to Brightbox, as an example). Yes, we like to support European businesses but it also makes it easier for us to know that we are recommending goods and services/we ourselves are using goods and services which meet the level of personal data protection which we are legally obliged to follow. There is little that is more frustrating than finding something great and then realising that we can’t use it because of the lack of Safe Harbour Agreement. We just wish more US companies would sign up! (sh)
* Not only does Amazon sell everything you could think of (and now food in Austria too - thank you Amazon!) but it also rents servers…
