Back to blog

5 Actionable Recommendations to Help You Deal With the Consequences of Safe Harbor

Analytics Data privacy & security

Written by

Published November 5, 2015 · Updated August 20, 2019

The renouncement of the Safe Harbor agreement means that every company serving European customers now needs to reassess its data practices. How should you tackle the upcoming changes? Dr. Carsten Ulbricht, a lawyer and partner of BARTSCH Rechtsanwälte, provides sound advice on how to adjust to this new situation.

By renouncing the Safe Harbor agreement, the European Court of Justice stated that self-certification by US companies is no longer enough to assess whether they take adequate privacy-protection measures in transatlantic data transfers. Although the actual future of the Safe Harbor agreement is not yet clear, all companies relying on such transfers should reassess their data practices.

A useful guide on this matter was provided by Dr. Carsten Ulbricht, who recommends a thorough reconsideration of data-security policies to provide your clients, business partners, and all stakeholders with adequate privacy protection. Below, we outline a summary of the five key takeaways.

Read also: What Does the Safe Harbor Ruling Mean for Your Analytics?

FREE Guide: Avoid Privacy Risks and Prepare for GDPR

Learn how GDPR will change web analytics and data collection practices:

download FREE guide

Check Your Own Data Processing

Make sure your clients’ and employees’ personal data is not received directly or indirectly in the United States. This is especially relevant if you use SaaS services, such as cloud-hosted email-automation tools, CRM, or web-analytics software, e.g. Google Analytics.

Check the New Clause

If your US service provider issues a new data-processing clause or addendum due to Safe Harbor to their offer (e.g. Data Processing Addendum by Salesforce), this document should also be checked for compliance with data-protection standards.

If there is no sufficient contract provided by the data-importing company, it is necessary to check whether the data transfer to the US can be legitimised on a short-term basis on the grounds of a consent or agreement of companies, as outlined in the EU’s standard contractual clauses.

It is necessary to examine whether your or your US-based business partners’ data transmissions are fully in accordance with the European Data Protection Directive. If you have any doubts in this matter, prepare an agreement on the basis of EU standards as fast as possible.

Go Local and Self-Host

Of course, you can also decide to collaborate only with European software suppliers. As the future of the Safe Harbor agreement is yet to come, choosing European providers may be highly recommended and should guarantee you an adequate level of data protection.

Mr. Ulbricht mentioned Piwik PRO as example of a tool, by default, compatible with European data-protection standards. Unlike Google Analytics, Piwik PRO is a self-hosted platform that enables you to control data at all times. It provides you with clear and in-depth insights into all areas of your business without the need to send your analytics data to any third parties. You can use Piwik PRO for free, and if necessary, full technical support is also available from the PRO Team.

Choose Compliance or Cease the Contract

Should change not be leading to new contractual agreements, especially if your US supplier refuses to implement new, enhanced data-protection measures, it may be regarded in many cases as sufficient reason to cease your contract immediately.

For full discussion of the consequences of Safe Harbor, please follow this link and read the feature in original (full text in German).

FREE Guide: Avoid Privacy Risks and Prepare for GDPR

Learn how GDPR will change web analytics and data collection practices:

download FREE guide


Ewa Bałazińska

See more posts by this author