As a guy who straddles the line between technology and marketing, this is an interesting week. If you haven’t heard, the European Court of Justice struck down the Safe Harbor agreement from 2000 that protects your ability to move data from the European Union to the U.S. A lot has been written about how this affects IT or big cloud companies, but not a lot about how it impacts marketers. Well it definitely has an impact on you. And the ruling affected the agreement immediately.
In essence, it means that marketers on the whole need to get smarter about technology and understand it much better. This is my legal take on the Safe Harbor ruling and it’s written in my layman’s terms. If you do business in Europe or pull data from Europe to the US (including for employees), you need to call your attorney today and figure out what is next. You need a legal opinion that you can stand behind.
Here’s my initial take on some of the ramifications:
- Big versus small. This ruling seems aimed at Facebook, Amazon and the other big players, but it actually impacts the small guys in a much more meaningful way. The big guys have data centers in Europe and already have some legal protections in place for what they are doing. The small guys don’t and will need them fast. It also impacts the costs of expanding into Europe for marketing teams – additional safeguards on data will be required.
- Data streams. Suddenly marketers need to understand their data flow. Where “in the cloud” are you storing data? The key question is around European privacy. If you’re taking data that can identify a person in Europe and moving it to a cloud service in the US or to your servers, this ruling impacts you. You’ll need cloud services that store data in Europe and some safeguards that keep personally identifiable data from flowing to the US.
- Lawsuits. The door is now open to lawsuits from EU residents who feel you are not protecting their privacy. US laws are very lax on privacy whereas the EU takes it very seriously. So far, US companies have been able to ignore EU privacy laws for the most part, that is not true post-ruling (until a Safe Harbor 2.0 gets nailed down).
- Protections. Again, this is my opinion and I am not an attorney. Talk to yours. Here are some ways to try and protect yourself from this ruling:
- Require EU users to agree that you can transfer their data overseas. It also helps if you have a rational need as to why the data is transferred, e.g. we ship from the US, etc. This is a good way to protect yourself for ecommerce retailers.
- Use one-way encryption algorithms to encode the data and dump personally identifiable information. If you don’t need to identify the specific person, then don’t. This way you can continue to use data for analytics and modeling, but you protect yourself from privacy lapses.
- Model Clauses. This is the way big guys deal with it. Talk to an attorney.
I’m hearing two things: small guys feel like they will never get noticed or they haven’t even heard of the Safe Harbor ruling. Both are dangerous. My understanding is that any E.U. user can file the lawsuit that causes you problems. So being small isn’t a big protection if you’re doing business in Europe.
I recommend at a minimum that you take the time to write up a legal blurb that says “if you click this button, your data will be used in the United States” etc. And understand why you need the data here. If you’re collecting a lot of E.U. personal data, I recommend figuring out your data flows and making sure you keep the E.U. data in the E.U. unless you have a clear, documented rationale why that won’t work.
More to come in the next week as attorneys start parsing the ruling and its ramifications. On a side note, we need to push the U.S. to get the Safe Harbor 2.0 done, so write or call your congressman. Rumors are that it is delayed over access to data by U.S. government groups. That’s frankly ridiculous in my opinion.
Have I missed something? Or stated it wrong? Please let me know in the comments.