Email best practices
On October 6th 2015, the European Court of Justice (CJEU) cited Snowden and NSA spying, ruling to invalidate a long-established Safe Harbor agreement between Europe and the U.S. which allowed the transfer and processing of data between servers in both countries.
The Safe Harbor Agreement, first established by the European Commission in 2000, allowed US companies to self-certify that they met the appropriate EU standards on personal data protection. More than 5000 “Safe Harbor self-certified” US companies will need to find an alternative solution to legally do business in the EU.
So what this mean for giant internet companies, and more importantly what does it mean for your business?
European privacy law does not allow the transfer of its citizens’ data outside of the EU, unless the data is carried to another location deemed to have “adequate” privacy protection policies.
The Safe Harbor agreement that was in place with the European Court and the U.S. was entirely based on a self-certification program of the American companies, tended to facilitate the transfer of their EU customers’ personal data to US-based servers and data centers.
Tech giants and other large companies, like Facebook, who were previously self-certified under Safe Harbor have since announced that they would move quickly to modify clauses to protect the EU data and adhere to the privacy policies under this new law.
The EU privacy regulator is set to replace Safe Harbor at the end of January. The new pact will likely be a restricted version of the data transfer process.
Each EU Member State has been assigned the task of determining whether to suspend data transfers to the U.S., given that other transfer measures may have been put in place by the companies like “Binding Corporate Rules” or “EU Model Clauses”:
As an email service provider, we can’t offer legal advice, so we do encourage you to consult your attorney for a full understanding of how this will affect your business and necessary steps to take. In the meantime, we’ve put together some general guidelines to help you identify where you might potentially be impacted and how to seek regulatory compliance if needed.
As stated in our Privacy Policy, Mailjet’s servers are exclusively located in Europe and strictly comply with the European laws on personal data security.
In rare cases, Mailjet may have to transfer some data to U.S.-hosted services, for analytics or to fight spam for instance. In these circumstances in the past, we didn’t just use Safe Harbor certification, but also requested firm commitment that these receiving services would comply with European rules, through binding DPAs (Data Protection Agreements) including European model clauses.
If you’re already a Mailjet customer, your data and those of your own customers or recipients are safe. The CJEU’s invalidation of the Safe Harbor agreement won’t impact the way you’re currently using our services. Rest easy and send confidently.
If you’re not currently using Mailjet, this CJEU decision might be a good opportunity for you to revisit your email strategy, taking a deeper look at how your customer data is currently being protected. Contact us if you’d like to chat more!
Update, 14th April: The EU and the US have been working together to create a new policy that will replace Safe Harbor. However, the new agreement, Privacy Shield, has not been finalised yet and both Europe and the US have still got work to do to ensure they come up with a new framework to ensure the protection of personal information on data transfers.
Is your business or organization affected by the invalidation of Safe Harbor? Do you have any tips to share on transferring data and adjusting to new regulations? Discuss with us on social media.