Hacker News new | ask | show | jobs
by richmarr 3916 days ago
> Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.

Maybe I'm missing something here.

My understanding is that the Safe Harbour agreement wasn't a mechanism for US companies to avoid EU data protection regulations... it was a certification that they did comply with EU data protection (particularly in situations where that data was transmitted outside the EU).

Now it's gone, EU customer data held by US companies will be governed by national data protection laws instead, so may end up having to be stored within the EU.

> The US privacy regulations are no longer considered compatible with the EU privacy regulations

I don't think they ever were, which is why the Safe Harbour needed to exist in the first place.
1 comments
flexie 3916 days ago
No, you are more or less right. The general rule is that personal data may only be transferred to organizations in third countries such as the US if they comply with the EU rules on data protection. See chapter IV of the data protection directive: http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:319...

In order to avoid that each EU member state would have to approve Google, Microsoft etc. one by one, the safe harbour framework was set up to let US companies self certify that they complied with the rules:

"In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive."

http://www.export.gov/safeharbor/eu/eg_main_018476.asp

That was obviously a broken system, partially because the certified companies didn't live up to the EU standards, partially because the US government violated the rules systematically through CIA, NSA etc.

The fault here is really European as much as American. By relying on the wolf to guard the sheep we very much had it coming.

link