There has been a fair bit on the internet about the ECJ's rejection of Safe Harbour (SA), the agreement between the USA and the EU which sets a catch-all agreement for the transfer of data between the USA and the EAA. There has been little new information of help for email marketing. Some things have become clearer and some confusion can be cleared up.
Firstly, the only country that the court decision affects is the USA. As long as the country you transfer information to is on the Information Commissioner's Office (ICO) list, or the security of it is adequate, then you can continue as before.
There has been a statement from the ICO accepting that compliance will take time, but how long they will allow is not clear. Further, the EU countries, such as Germany, which have stronger national protection for personal information than the UK, might force the ICO's hand in the matter.
It has also become clear that there is a problem with the American attitude to privacy of information and the NSA is unlikely, to say the least, to reduce their ability to trawl through data on fishing expeditions. This is directly contrary to the EU attitude to privacy and it makes it difficult to see how an SA replacement could be worded.
There has been some suggestion that cloud-based storage of data is not affected by the court judgement but there would appear to be arguments against this. Further the processing of payments which have been outsourced to US firms might well not be able to comply with the requirements.
What is clear is that this is not the time to commit to investment in new systems as they might prove to be in breach of any new regulations. Given the ICO's promise of a period of adjustment, it might be best to assess your risks at this stage, rather than be panicked into what might be an expensive mistake.
Whilst for many of us the decision came well before it was anticipated, there is some suggestion that American companies that are data-rich have been setting up data centres in the EU and other compliant countries. This might be a good selling point but whether there is adequate protection, given that they are USA-based, is open to argument.
The Article 29 Working Party, part of the European Data Protection Group, has already called an 'extraordinary plenary' on the matter. One should hope for, rather than expect, a prompt decision on the way forward.
A clear and considered response from the regulators will arrive in due course but there seems little doubt that it will be unspecific and the convenience of the Safe Harbour agreement will be but a memory. That the USA and the EU are in negotiations currently is beyond a doubt. What seems most likely is a fudge, a political compromise that satisfies no one and hardly complies with Principle 8. Expect a challenge in the future. The problem will remain: how to transfer data to the USA when it's safeguards fall well short of those demanded by the EU.
Now is probably the time to look for a solution that conforms to Principle 8 without exposure to the culture of the USA.