Safe Harbor not quite safe after all

Estimated reading time: 2 minutes (Too long? Email me this article)
19, November 2015

Do you have any idea where online services your company uses store their sensitive information? Europe? The US?

Until recently, nothing was amiss, in legal terms. After all, the Safe Harbor framework was there. Although information belonging to Europeans could technically not be funneled to countries whose privacy protection was not as good, like the United States, this was allowed because of the agreement.

Emphasis on was, because the Safe Harbor principles no longer apply as of 6 October, 2015. So what happened? An Austrian student lodged a complaint with the Irish privacy regulator about information being sent from Facebook Ireland to parent company Facebook Inc. in the United States. The regulator asked the European Court of Justice whether the Safe Harbor Principle still offered sufficient privacy protection. The European Commission assumes that, if a company is ‘Safe Harbor certified’ in the US, it is permissible to send information to that company under European privacy laws. However, European privacy laws assume ‘adequate levels of protection’. The court ruled that this is not the case.

This means that, as of 6 October, 2015, it is illegal to store sensitive information in the US. Companies that use American Safe Harbor certified cloud software, and whose customer information is stored in the US, are obliged to take additional measures to ensure they still operate within the framework of European legislation. The European Commission will publish guidelines in the near future.

If you want to be absolutely certain that the sensitive information of your company is safe, call or email your supplier to check whether their servers are located in the US or in Europe, and ask what they are doing to secure all of this information.

Their information may well be stored in Europe, in which case you have nothing to worry about. Additionally, we recommend working with organizations that are ISO certified. ISO 27001 is a set of standards relating to information security. ISO 9001 sets requirements for quality management systems. Companies that meet these standards take privacy and security seriously, and have made sure their processes are set up such that they guarantee the security of information.

How do we deal with it? We take the privacy and security of customer information extremely seriously. After all, it’s what we do. The information of our European clients is stored in the Netherlands. Similarly, we store customer information for our Chinese clients in China. Every continent deserves its own safe harbor.

Share this article