The Safe Harbour problem isn’t going away. I know, I know, you’re bored now. TL;DR and all that. Well, sorry, but I find this stuff interesting, and you should too. Why? Because it looks like February 2016 is when things will get nasty. Nasty how? Expensively.
It’s all still opinion, but after the Germans weighed in against using BCR and Model Contracts to duck the Safe Harbour problem, now it’s the Dutch – specifically their Justice Minister, Ard van der Steur, who said this week that “It is not expected that the negotiations with the US will be completed very shortly.” Since the deadline is the end of January 2016, which feels like “shortly” to me, especially in the context of inter-governmental bureaucracy, I think it’s reasonable to assume it’ll be missed.
Unfortunately the Article 29 Working Party (sexy name, sexy function) told us in October that they were giving the EU and US until that deadline to sort things out, after which – here’s the key point – we can expect “co-ordinated enforcement actions”. Which is code for fines. Big ones. So far the ICO, and all the other interested parties, have been keeping their powder dry, but the opportunity to levy some record fines against US-based digital colossi must be deeply attractive – ‘look, we’re protecting our citizens’ interests like the nice, cuddly European liberal democracies we are, and collecting money from nasty tax-avoiders into the bargain.’
Of course the big players have big lawyers and this will inevitably drag on forever, but if your lawyers aren’t so big and you keep PII offshore you might find the ICO starts training their guns on you too. It won’t have quite the same political kudos, but it’ll still demonstrate that they’re taking “decisive action” – not something for which they’re generally known, after all. And it will hit your bottom line.
So if you don’t have an alternative outsourcer, hosting provider or data processing solution inside the EU, now might be the time to find one.