In order to look at how the European court of Justice’s ruling on Safe Harbor effects your email marketing I think it prudent to look back at the history behind Safe Harbor and the impact on it of the Patriot Act. In 1998, the European Commission’s Directive on Data Protection went into effect, one of it’s basic premises would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. The United States, while sharing the EU goal of protecting citizens personal data it takes a different approach to privacy from that of the EU.
In order for US companies to bridge the gap between the two standards the US department of Commerce, in consultation drew up the “Safe Harbor” framework by which US businesses could measure themselves against and if reaching the criteria self certificate and join the US – EU Safe Harbor program. This was all well and good an many legitimate businesses joined up and agreed to meet the EU standards. This Safe Harbor program protected EU citizens personal data in the same way as if the data were stored within the EU member countries and all was good. Until after the atrocities of September 11th 2001 when the US government led by George W Bush signed the Patriot Act in October 2001. The Patriot Act, although well meaning, drove a massive hole through Safe Harbor because it effectively allowed the US government to spy on suspected terrorists accessing all and any data sources stored in the US. From that day forward it technically meant that any personal data stored and hosted in the US was available for the US government to access and indeed use that information in the pursuit of terrorism. No bad thing you might think but it kind of flew in the face of Safe Harbor and the European Commission’s Directive on Data Protection.
As marketers though, we tended to sweep that under the carpet and continued to work with ESP’s who hosted their data and or their power MTA’s and database servers in the US. No one complained, no one went to the ICO, no legislation was past, in essence, it wasn’t broken, why fix it. However, it was broken, the European Commission’s Directive on Data Protection was being breached and every time we as marketers chose to use an ESP with a data centre in the US or who hosted their database servers or power MTA’s in the US we were flaunting the directive. We were in essence not taking our role as data controller seriously.
So why is it news now, well last year, 2014, Austrian Law Student and privacy advocate, Max Shrems brought a lawsuit against the Data Protection Commissioner and not Facebook as is being reported because Mr Shrems lodged a complaint with the Data Protection Commissioner in June 2013 against Facebook which the Data Protection Commissioner did not investigate. It was that failure to inestigate which led to the lawsuit which is now being reported as against Facebook.
Today, the European Court of Justice ruled that a 16-year-old agreement, Safe Harbor, allowing American companies to handle Europeans’ data was invalid. Hosting European Union citizens data outside of the EU officially just became illegal.
So what is likely to happen? To be honest, I am not sure, is it going to be like the Cookie Law and not much will happen and gradually companies will et their houses in order or is it going to be more CASL (Canada’s Anti Spam Legislation) and some hefty fines get handed out to people in breach of the directive? As I say, I don’t know but what I do know is if I was using an ESP with data hosted outside of the EU I would be looking for a new supplier. But as a supplier who hosts their data here in the UK I guess I would say that!