Safe Harbor agreement was a crock. It’s time to start taking privacy seriously!

So, the European Court of Justice has ruled, at the end of a case that had been ongoing for two years, that the 15 years old ‘safe harbor’ agreement with the United States, which was meant to protect the privacy of European citizen data when transferred to the US, is not valid. This is, on the face of it, a big deal. After all, the whole point of having such an agreement in the first place was to ensure that online business between Europe and the US could go ahead with minimal interruption while at the same time safeguarding the privacy rights of EU citizens. However, many people (including us here at IT Security Thing) have been saying that Safe Harbor was a crock for the longest time, and did nothing to provide the ‘adequate privacy in line with EU privacy laws’ that needed to be in place if a legal transfer of data outside of EU boundaries is to take place. The problem being that US companies may well have promised, via Safe Harbor, to protect EU citizens’ data when transferred out of Europe, but that didn’t mean the US government and its law enforcement or intelligence agencies necessarily agreed. It’s one thing for the likes of Apple, Facebook, Google and Microsoft to self-certify on data protection under Safe Harbor, but quite another to deliver upon those privacy promises when government agencies required them to hand over data stored within US-based data centres as part of an investigation. What Safe Harbor actually provided was something that made life easier for the businesses concerned, who didn’t have to jump through data privacy hoops (asking for consent, entering into bilateral agreements and so on) time after time after time when doing business with Europe. Ultimately, it didn’t really provide much in the way of real protection for European citizens which, as far as European citizens were concerned anyway, was meant to be the whole bloody point.