Since the fall, companies that transfer data between the U.S. and the EU have been having some headaches — headaches costing up to £100,000 ($149,000), according to the Direct Marketing Association (DMA).
Oct. 6 saw the landmark ruling between Max Schrems and the Data Protection Commissioner that invalidated the U.S. and EU Safe Harbor agreement, a blanket framework that allowed for the free transfer of data between the U.S. and the EU. Some 35,000 organizations were signed up to Safe Harbor, allowing them to transfer data, ranging from employee payroll information to customer purchasing history, across the Atlantic.
For this interim period before a new Safe Harbor 2.0 can be agreed, companies have had to use workarounds to avoid breaking the law and face fines.
The DMA anonymously polled its U.K. members, some of whom include Barclays, BT and Sky, marketing agencies and suppliers, and found that introducing alternatives to Safe Harbor is costing 18 percent of companies between £50,000 and £100,000, ($74,000 and $149,000). While nearly two-thirds (63 percent) report that it’s costing less than £10,000 ($15,000).
In the last two months, companies that want to continue transferring data across the Atlantic have had several options: continue transferring data between the two regions and risk compliance penalties (which 43 percent of DMA respondents are doing) or produce legal documents for each data transfer. These documents include contract clauses (30 percent) or binding corporate rules (10 percent) — these require legal teams and data importers and aren’t exactly quick or cheap.
Model contract are the fastest — they can be executed within a day as long as the firm’s lawyers and data teams are all available. Some companies, like Mailchimp, offer clients downloadable standard clause forms to make it as easy as possible to comply with regulation.
But these aren’t even remotely watertight. “Even when using model contract clauses, you still don’t know if the U.S. government is reading your emails,” said Eitan Jankelewitz, who works at media lawyers Sheridans. “We’re just another court case away from finding out that that doesn’t work either. Currently, they are lawful, but we don’t know how long for.”
“Model clauses are plainly inadequate,” said Richard Lack, director of EMEA sales at software firm Gigya. “They may bridge the gap legally as an interim process, but really everyone is driving toward hosting data within EU.”
Which means the small- and medium-sized companies — some 60 percent of businesses that were Safe Harbor certified — are feeling the pinch. “Companies that can’t afford regional data centers, which cost several million of pounds to run annually, will just fail to expand internationally,” said Lack. “It is just part of international trading now that you have to deal with various regional data privacy legislations.”
The DMA’s research will aid discussions on how the European Commission and the U.S. Department of Commerce can agree on a Safe Harbor 2.0, but some sources say the U.S. needs to pass more laws to ensure European citizen data is handled securely.
More in Media
WTF is headless browsing, and how are AI agents fueling it?
AI agents are putting headless browsing back in the spotlight. For media companies, that raises questions: How much traffic is real vs. automated?
How People Inc. is prioritizing traffic and revenue diversification to prepare for AI era
People Inc is preparing for AI’s impact on search and content discovery by focusing on traffic and revenue diversification and direct to consumer relationships.
One year in, Business Insider’s AI onsite search is boosting engagement
Although Business Insider’s AI search tool is currently only used by roughly one percent of Business Insider’s readership, it has significantly increased the engagement of those who do use the tool, with click-through to articles increasing by 50 percent since October.