ECJ Safe Harbour ruling to prompt changes in fraud prevention?
Safe Harbour is potentially no more after the European Court of Justice (ECJ) ruled this month that it is suspending the transatlantic data transfer framework that allowed US organisations to obtain and store data on European citizens.
The ruling could spark major change for the fraud prevention landscape and we expect it to have a significant effect on the way businesses both sides of the Atlantic handle their data privacy and anti-fraud processes.
The agreement, active since 2000, was ruled invalid after concerns over intervention issues were raised. It was found that the agreement did not allow for data protection watchdogs to intervene on behalf of citizens who felt that their privacy had been compromised.
The ruling is sure to prompt calls for a review in data privacy across many organisations. A large number of technology businesses, including ecommerce merchants, who handle personal data of EU citizens in the US, will now have to consider establishing local European-based data centres for their EU customers’ data, as well as adhering to often stricter European data privacy laws.
We at Risk Ident believe that privacy is important and should be respected, even in the fight against fraud. The ECJ ruling could completely change how US companies use and share data, although simply setting up European data centres will not be the solution. The US Freedom Act Section 702 (FAA 702) is likely to remain in use by the US government to obtain data stored in Europe by US companies. Businesses will need to be transparent with their customers and on hand to manage any data sharing concerns.
While the ruling is not expected to be a barrier for businesses, it may cause friction and take some time before many US companies adapt. Businesses in some of Europe’s strongest economies, including the UK and France, are likely to feel the effects because of their data exchanging relationships with the US as part of their fraud prevention practices.
Today, too many organisations argue that it is in the best interests of users to give up more of their privacy because it will ultimately keep them safer online. This is not necessarily true however, as it is possible to keep personalised information separate from anonymised data, such as device identification data.
We founded and built Risk Ident with European data privacy laws specifically in mind and believe in smarter fraud prevention technology that maintains privacy without compromising on security. We welcome the ruling from the ECJ, which publically and legislatively recognises the importance of data privacy in Europe.
Its decision has ignited renewed attention on the ethics of sharing personal data across continental jurisdictions and could also provide a boost to the European IT industry as the continent retains ownership of personal data management.
The recent high-profile Weltimmo and Schrems cases, and the ECJ’s latest ruling, have brought European data privacy into the spotlight. With customers shopping online in record numbers across the globe, the debate on what data should be shared, and where, is something that is sure to continue on both sides of the Atlantic.