Invalidation of Safe Harbor Impacts Privacy

The Safe Harbor Framework for protecting personal information negotiated between the European Union (E.U.) and the United States was invalidated by an Oct. 2015 European court ruling. Many U.S.-based organizations relied on the Safe Harbor Framework to comply with E.U. privacy regulations. The invalidation of the Safe Harbor Framework should not affect organizations using Microsoft’s enterprise-targeted hosted services, such as Office 365 and Azure, because the agreements for these services already incorporate E.U.-compliant Model Clauses, an alternative compliance framework. However, organizations using Microsoft’s consumer-focused hosted services may now be at risk for noncompliance with E.U. privacy rules.

Goodbye Safe Harbor

E.U. privacy regulations are the de-facto personal privacy standards that organizations operating internationally have followed since an E.U. Directive on Data Protection became mandatory for all E.U. member states in 1998. One consequence of the directive is that it prohibits the transfer of personal data from the E.U. to countries that do not meet the E.U. “adequacy” standard for privacy protection.