Share this story
Close X
Switch to Desktop Site

Opinion: Why the global tech industry needs Safe Harbor 2.0

(Read article summary)
View video

Dado Ruvic/Reuters/Illustration

(Read caption) A Facebook logo is seen in front of the logo of the European Union. An Austrian privacy activist's case against Facebook eventually led to this week's ruling that invalidated the transatlantic data transfer agreement known as Safe Harbor.

View photo

With the highest court in the European Union striking down the transatlantic pact that allowed thousands of organizations to transfer Europeans’ data to the US, the global tech industry is in something of a quandary.

Now European regulators can override the 15-year-old Safe Harbor pact because it exposes Europeans to indiscriminate surveillance by the US government and therefore violated their privacy rights. This has left companies and privacy lawyers scrambling to preserve businesses’ abilities to transfer Europeans’ data to the US before regulators issue fines or orders to suspend the flow of data.

About these ads

Many consider the court's decision a victory for privacy advocates. But it's also a regulatory nightmare for US corporations – especially those that operate data centers and other services where the information is transferred outside the EU. Tech companies will need to rethink and potentially restructure their approach to data management. And doing that won't come cheap.

Recommended:What the EU Safe Harbor ruling means for data privacy

In the global tech market, there's no way to get around data privacy laws and regulations. The Safe Harbor decision is actually in line with the EU data regulations set to be ratified next year. So the EU is actually consistent in its application and interpretation of citizens' rights when it comes to free flow and protection of their information.

But in the wake of the court's decision, do we need a Safe Harbor 2.0? Obviously there needs to be something put in place – and it needs to be taken care of soon. You can’t just wipe out 15 years of Safe Harbor and expect businesses to operate as usual.

Tech companies must either comply with data privacy laws and regulations or face stiff penalties. And when it comes to jurisdictions, no two are alike in their regulations, privacy legislation, fraud and breach prevention. Regulations vary and have not been standardized when it comes to protecting data. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud.

Organizations of all sizes will have to better control their data, and be more prepared for what lies ahead. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.

This court's decision on Safe Harbor highlights just how fast regulations are changing. The 2015 Thomson Reuters Cost of Compliance report found that "more than a third of firms spend at least a whole day every week tracking and analyzing regulatory change. Global regulatory change is creating the biggest challenge due to inconsistency, overlap and short time frames."

Safe Harbor may not have been perfect, but removing it without a roadmap for the thousands of companies that are part of the agreement may appear reckless to say the least. Safe Harbor was better than no agreement at all. 

About these ads

But with its demise, the onus is on businesses to establish themselves as trusted guardians of data. If they succeed, they'll benefit commercially. Still, they'll need guidance to ensure they can comply with Europe's toughening stance on data privacy – and for that, let's start working Safe Harbor 2.0 now.

Steve Durbin is managing director of the Information Security Forum. Follow him on Twitter @stevedurbin.