The Consequences of the Safe Harbour Ruling
“The most serious European backlash yet since the Snowden internet spying scandal.”
This is how the Financial Times, a journal not usually given to hyperbole, has described the European Court of Justice’s (ECJ) ruling on the Safe Harbour pact, declaring it invalid.
The ECJ has declared the Safe Harbour pact invalid because it does not, in their judgment, provide adequate data protections under EU law.
The short-term consequence will be uncertainty. This uncertainty will cause thousands of companies and millions of consumers in the US and the EU to reconsider decisions they have made about how to conduct business. For example, companies that have mutually pledged to implement strong data protection practices will re-examine the commitments to those practices and may choose to cease transferring data to the US. This is a real concern for all parties because the services have been duly vetted and chosen based on the economic benefits they provide. Stopping or curtailing the use of these services is an economic loss for all sides.
The most unfortunate aspect of these losses is that the companies involved have built their businesses based on sound data protection practices. Those practices include strong controls, such as encryption strong authentication combined with progressive policies and practices about data protection and use. Companies on both sides of the Atlantic have understood for years that data protection isn’t optional it is mandatory. Years of work may have been shredded in the near term because of decisions made by their governments.
Mid-term consequences will be the rush for companies to utilize one of a few accepted ways to ensure adequate data protection or consent to transfer data. These include;
- Unambiguous consent of the data subject;
- Arguments that the transfer is necessary for the performance of a contract between the end customer and the applicable merchant; or
- Use of model contract clauses.
To those unfamiliar with the landscape, these options might appear to be reasonably straightforward. Yet most people who have been involved in crafting trans-Atlantic data exchange agreements would tell you they are anything but straight forward. They are solvable, but only with time and money.
Longer-term consequences may include a new type of protectionism inhibiting global trade. This would take the form of de facto tariffs on the transfer of data. Data is the lifeblood of modern business. It is not hard to imagine a scenario where governmental authorities dramatically increase the cost of transferring data to other countries in order to provide “unnatural” advantages to domestic industries. The overarching effect of such policies would be to create less competitive and efficient industries resulting in losses to all parties. These headwinds come at a time when success is difficult enough.
Kount, like many other data processors, have anticipated this decision. We are committed to working with our current and future clients to ensure adequate protections are in place both technically and legally. Kount continues to employ industry leading technical measures and business practices to ensure data transferred to Kount is appropriately protected and processed. We are committed to making the adjustments required by the various data protection authorities to remain in compliance with data protection laws as they evolve.
Kount and other industry players have not yet received guidance from the EU Commission or national data protection authorities. We anticipate specific guidance will be announced in a few weeks. If your business requires more urgent attention to this issue, please contact us and we can work with you to put one of the known solutions in place.