The Information Commissioner’s Office (ICO) in the UK has confirmed that it will give companies time to get new data transfer agreements in place, but it is essential that the effects of the judgment are taken into immediate consideration. Data commissioners across other countries in Europe may not be quite so generous, however, with privacy focused jurisdictions such as Germany and France expected to take a tougher stance.
The case, brought by Austrian national Max Schrems against Facebook, concerns the transfer of personal data from Europe to the US – where many cloud servers are located – where they are susceptible to being accessed by the American National Security Agency (NSA) and others.
The Safe Harbour agreement was designed to protect the personal information of citizens when transferred out of the EU. The decision has confirmed that it has not been as effective as it should or could have been in this area. A new agreement, dubbed ‘Safe Harbour 2.0’ is being prepared, but no date has been given for it to become effective.
Who is affected?
It is not only tech companies who may be affected by the changes. Companies that rely on data storage in the cloud should check their agreements with providers and determine where the data is stored. What’s more, HR services, such as holiday and absence management that are often now run online, may also be susceptible to the change.
As tech companies respond to the fall-out from the ECJ’s decision, consumers of their services should expect revised terms and conditions to be sent out which should be carefully scrutinised by any person or organisation with responsibility for controlling or collecting personal data.
Organisations that have previously relied on Safe Harbour will have to consider what steps they should take to comply with data protection legislation, which may be more expensive and time-consuming for consumers as well as businesses.
David Smith, the deputy ICO commissioner has confirmed that no immediate action will be taken, but how much time will be seen as reasonable has not been suggested, but it likely to be weeks rather than months.
Facebook, against which Schrems brought the claim, is unlikely to be found at fault given the thousands of other businesses that have relied on the agreement, but it has been made an example of. Schrems has previously brought claims against the social media giant, all of which have failed or been dropped. The case will now be returned to the Irish court where it was initiated for a separate judgment in light of this clarification from the ECJ.
<a href=”http://www.flickr.com/photos/128884785@N06/16216011058″>Outside the European Court of Justice</a> via <a href=”http://photopin.com”>photopin</a> <a href=”https://creativecommons.org/licenses/by/2.0/”>(license)</a>