Yussi Pick is an award-winning digital campaigner at Pick & Barth Digital Strategies based in Vienna, Austria and Washington, DC. Sign up for his weekly Campaigner’s Tips at www.campaigners.tips. Thanks to longtime Epolitics.com reader and occasional contributor Henri Makembe for suggesting the article.
So, Safe Harbor is history. But what does that even mean, and how does that affect campaigning in Europe? Here’s what you have to know:
The EU has stricter privacy laws than the United States so far, so obvious. That makes it illegal to transport data related to a person(1) to or store data in the United States. However, the Safe Harbor Agreement made it possible for companies that have their servers in the United States to still offer their services in the EU.
A Safe Harbor certificate basically said: this server is protecting the privacy of a person as safely as if it stood within the European Union. In practice, it meant that even though the servers of, say, MailChimp are in the United States, a campaigner in Europe could use the service to send email blasts, because it was Safe Harbor certified.
Well, the European High Court decided that Safe Harbor, which was agreed on in 2000 is now that we know about the NSA not protecting data at the required standards anymore. They therefore invalidated it, effective immediately. Although, leave it to the EU to redefine “immediately”: the Commission, which more business-oriented and less worried about data protection, is a little more relaxed about it:
“The two [Commission members] dismissed suggestions that the ending of Safe Harbor would bring an abrupt halt to the trans-Atlantic transfer of personal data, pointing out that European legislation also provides for a number of other ways of guaranteeing the privacy of such data.”
And Max Schrems, an Austrian law student, who led the charge against Safe Harbor, himself thinks that not too much will change, since the European Data Protection agency is pretty inactive.
So, what are the actual implications?
If you are doing online campaign in Europe, using US services such as Mailchimp, NationBuilder, Blue State Digital, etc., you need to know that any service that has its servers in the US and relied solely on the Safe Harbor agreement is in a legal grey area. Any other measures you have to take have to be judged case by case.
Some companies such as NationBuilder have already reacted and are promising a separate processing agreement. This seems to be the path foward until there is a new framework between the US and the EU, which is unlikely to happen anytime soon. However, it’s questionable whether these types of agreements are enough, since if the Safe Harbor opinion is strictly interpreted, every person whose data is transported and stored in the US needs to actively and knowingly agree to it.
What are the alternatives?
If you want to be on the safe side, you need to switch to European companies. For Email Marketing, that’s not so much of an issue (see list below), since there are tons of solid alternatives. For a full package, you have fewer alternatives. The two that come to mind right away are Engaging Networks, which is based in the UK and Campagnion, which has offices in Austria and the UK and uses German servers, the mecca of privacy.
If you know any other services, let us know in the comments!
Needless to say, I’m not a lawyer, this is not legal advice. Don’t sue me.
(1) Leave it to German to have a word for it: “personenbezogen”.
Image of Port Vell in Barcelona by Diliff, via Wikipedia