The European Court of Justice has decided that the Safe Harbour Scheme (SHS) does not provide adequate protection for data transferred to the USA and therefore it falls outside Principle 8 of the Data Protection Act. In essence the court has recognised that agreements cannot be binding on national governments. The court ruling stated: "legislation [in the USA] permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life."
Going by the reports of various commentators, the implications of this decision are unknown, other than that it will make data transfer, surely an essential nowadays, a bureaucratic nightmare. One possibility is that the USA will have to make individual agreements with all EEA countries. Even if that is so, then the NSA's ability to harvest data on a general and not particular basis remains a hurdle that will be difficult to surmount.
The Information Commissioner's Office has issued a rather brief press release, the full text is here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/10/ico-response-to-ecj-ruling-on-personal-data-to-us-safe-harbor/
The most important parts state:
“The judgement means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.
“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgement in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks." There is some comfort to be gained from the 'some time for them to do this'. It promises a certain, but unspecified, period of grace.
The decision of the ECJ is clear: the USA does not ensure an adequate level of protection, so one wonders what other methods of data protection could be sufficient.
That the case was brought against Facebook, based on the revelations in the Edward Snowdon case, should not convince you that this is all about social media. It is not. Facebook complied with all the requirements of the time. This is entirely about the security of personal data, and that is what email marketing is all about.
You can take preparatory steps to protect the security of your data and, of course, lower the risk to your company. You must discover how exposed you are. How much data is available in the USA?
See if there are ways you could, if required, limit information sent to the USA.
The matter will be discussed at very high level due to its importance to American businesses as well as ours. Keep an eye on the ICO website as well as this one. As soon as there is a development, we will post it. There is, I believe, more to come on this.