What does the Safe Harbor Ruling Mean for Your Analytics?

On October 6, 2015, the European Court of Justice (CJEU) invalidated the US-EU Safe Harbor agreement, effective immediately. This sentence has potentially big implications for US tech companies when it comes to how they look after our private data. What does it mean to all of us and how will it affect our usage of digital analytics for business purposes?

The CJEU stated that the Safe Harbor agreement was not enough to assess whether US companies were taking adequate protection measures in transatlantic data transfers. The ruling is the culmination of a legal struggle of Max Schrems, a European privacy campaigner who filed formal complaints against US Internet companies on the grounds of their alleged collaboration with the NSA. Mr Schrems’ complaints were dismissed by Irish courts that stated such data flows were well-governed by the Safe Harbor agreement. When he contested the decision, the matter was referred to the European Court of Justice, the highest instance of court in Europe.

What is Safe Harbor?

The Safe Harbor agreement was reached in 2000 to provide a convenient way for US companies to get data from Europe without infringing its regulations outlined in the European Data Protection Directive, which forbids processing and transferring personal data to parts of the world without “adequate” privacy protection. With Safe Harbor framework, US companies could operate on the basis of their “self-certification” of compliance with European data-protection regulations. The list of firms relying on the agreement to facilitate data transfers is over 5,000 names long and includes technology giants, such as Facebook and Google.

What’s wrong with Safe Harbor?

Safe Harbor started to crumble with the allegations that through the access of tech giants to personal data of EU citizens, the National Security Agency could have reached this information as well, thereby infringing basic human rights as outlined in Art. 8 of the European Convention on Human Rights. Edward Snowden’s revelations galvanised the process of scrutiny over American data-protection laws, with the US and EU having tried to renegotiate Safe Harbor since then, and Max Schrems’ case eventually bringing this process to an end with the recent ruling of CJEU.

“Safe Harbor today sits within a legal no-man’s land”, admits Aurélie Pols, Privacy & Digital Analytics expert at Mind Your Privacy, and adds that the issue of privacy is evolving rapidly, with the EU working on a General Data Protection Regulation (GDPR) that shall be unveiled in the spring of 2016.

What’s next in the case of Safe Harbor?

The very basic implication of this ruling is that US companies will no longer be allowed to proceed with transatlantic data transfers solely on the basis of “self-certification.” Each firm will have to register and inform the EU Data Protection Authorities (DPAs) about their data privacy practices as well as take immediate steps to ensure they are compliant with local regulations.

As Ms. Pols comments: “The European Court of Justice empowered all Europeans to become Max Schremses; it also reiterated the power of local Data Protection Agencies (DPA). The consequences of this will be heavier workload for DPAs while at the same time the principle of a one-stop-shop, one DPA representing Europe, is further watered down.”

So the issue is now in the hands of regulators in each country of the European Community – each member state will make its own decisions about how to interact with the US on data transfers.

What does Safe Harbor mean for your customer insights and analytics?

Every company serving European customers will now need to reassess its data practices – any third-party data-sharing could come under scrutiny from European DPAs, such as a third-party tracker on your website that collects IP addresses.

So what should digital analysts and other professionals relying on such insights do to avoid further trouble?

”You ought to at least figure out which of your tools fall under Safe Harbor and ask their vendors what they propose to replace the now invalid clause.” Aurélie Pols recommends and adds that since Safe Harbor has been in discussion for the last two years, some companies have already replaced their clauses related to international data transfers.

“Keeping your analytics data on your infrastructure means that you are free to choose where and how to store your customer data. Your clients and partners have assurance that their private data is protected – only you have access to it. If you need to migrate your data to another location or country, you can ensure that no data is left behind, because you are in control. As a result, your business is able to comply with local data privacy regulations with minimal effort,” explains Aubry.

Piwik PRO is free to download, modify, and use and lets you maintain full control over your data. Your data is stored in your own MySQL database, and logs or report data will never be sent to other servers by Piwik PRO.

With Piwik PRO on-premises, you also receive full technical support, monitoring, and maintenance to ensure your platform is always up to speed. The Piwik PRO Team will help you install Piwik PRO in your own cloud subscription with one of our certified providers, tweaking it to suit your particular business needs and expanding it with a variety of premium features and custom functionalities.

Schedule a FREE demo and see what Piwik PRO can do for your organization.