EUs Ruling Against Safe Harbor Agreements Throws Companies in Limbo


Early in October the ability to “personalize” our relationship with customers hit a road block for companies that do business in Europe and the United States. The European Court of Justice ruled against the 15-year Safe Harbor principles which were used as a framework for companies to transfer personally identifiable information (PII) from the European Union to the United States. In a business climate such as the hospitality industry’s that increasingly depends on customizing the customer experience to attract and keep loyal customers, this has put us all on pause.

In plain terms, data that is collected from European citizens in Europe currently cannot be transferred out of the EU. This ruling came about as concerns have grown that data that is transferred out of the region do not reside under the same protections provided by the E.U., which has largely been firm on safeguarding its citizens’ personal data.

The ruling that was struck down dates back to 2000 when the U.S. and EU developed an agreement that outlined a set of principles for companies to follow for agreeable PII protection. U.S. companies that did collect data in Europe were asked to be safe harbor certified, ensuring the following:

  • Notice – Individuals must be informed that their data is being collected and about how it will be used.
  • Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
  • Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
  • Security – Reasonable efforts must be made to prevent loss of collected information.
  • Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
  • Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
  • Enforcement – There must be effective means of enforcing these rules.
    (U.S. Department of Commerce, July 21, 2000)

Recently the outlined principles were put into question as the data surveillance practices of the U.S. government became widely known. With that revelation, the U.S. and E.U. worked on negotiating a revised agreement, but failed to meet the deadline set for May 2015.

And that leaves us to the position we are in now… with little guidance on how to proceed. The judgement to strike down the agreement was effective immediately, leaving many cross-national companies in limbo. Certainly it was true for our association Hospitality Financial and Technology Professionals (HFTP), headquartered in the United States, as we were about to launch our new site The customizable features of our brand new hospitality-specific search site, intended for a global audience including the EU, relied on the registration of its users. The bells and whistles depend on building a personal profile so one can make the site your own. With a scheduled launch coming, we were not sure how to proceed. Should we block registration from European IP addresses or continue as is?

Then considering beyond our own organization, what about our members who work at international hotel companies. As the producers of HITEC (the Hospitality Industry Technology Exposition and Conference), we are very familiar with the growing interest and importance of big data and CRM to keep our guests returning. How will the data of our globetrotting guests be managed?

There has been quick reaction to the ruling as this is seen as a crucial issue to resolve. Lawmakers in the E.U. and the U.S. have been working quickly to resolve the issue and negotiate a Safe Harbor 2.0. The issue is of such top concern that in early November U.S. Vice President Joe Biden spoke with EU Chief Executive Jean-Claude Juncker about the need for a solution. But delays to an agreement are likely, as experts believe that without stricter data security laws in the U.S., the European Court of Justice is likely to strike down a revised agreement. Currently EU privacy regulators have given negotiators until the end of January to come up with a solution.

What are companies to do during this in-between period? One way to proceed without violating any laws is to get express consent from an E.U. citizen. The participant would have to give explicit consent that allows the company to transfer the data between the two regions. While this may not seem feasible for larger companies, it might be a solution for smaller firms with select clienteles. Otherwise, the alternatives might be costly.

Many of the larger companies are now keeping the data put in the E.U. by either establishing offices or maintaining the data in servers within its boundaries. This is an especially strong scenario because there is no certainty as to when an agreement will be made that allows the data transfer. Luckily for HFTP, the servers already reside in the EU by our partner hsyndicate, based in The Netherlands. As long as we keep the data there, and don’t transfer it to our U.S.-based global headquarters, we can continue to allow EU citizens to register with the site to create personal profiles. The ruling did push the HFTP Global Board of Directors to move forward with a larger HFTP European headquarters. This was something the association had been considering and now feels is necessary to properly reach out to European members.

And while negotiations proceed, I have a few suggestions of some data security measures companies can start to implement that shore up data storage and are likely to help as regulations tighten.

First is to employ good data oversight practices. Know the particulars on how the information is stored, transferred and used. This includes vetting the companies hired for shadow IT services and making sure they adhere to strict standards set by your company. It is not enough to establish guidelines, but it is also important to make sure practices are regularly reviewed.

Protect data with the use of encryption or tokenization. Both processes are versions of cryptography, changing the original data to unreadable text. Tokenization, the newer practice, is starting to build up in popularity as it is more flexible to use and is argued to be considered more secure. Encryption is an end-to-end process based on a static key. Sensitive data is entered and is encrypted based on a specific algorithm. It stays as a code as it travels through the system and can be decrypted on the other end (in the secure confines of your office) with the use of a key. And so, the burden of securing the data is transferred to the burden of securing the key. Alternatively, tokenization changes meaningful text, such as a personal ID number or payment information, into coded text – or token – that has no relationship to the original text. Since the tokenized data has no relation to the original data, the code cannot be broken.

Still be familiar with data storage practices, even in Europe. As I mentioned before, response to the recent ruling has been to keep data within the EU as to not violate regulations. Doing this does not mean you should not scrutinize the security standards and methods of the storage facility. In addition to questionable security, the facility could also be transferring or backing-up data to countries outside of the E.U. It is best to do a thorough review of how your data will be managed.

The recent ruling has definitely stirred up the status quo and will possibly provide us with more stringent protections that would be for the best in an environment that has played it loose with our personal information. At the same time, it has left us in a waiting position as the lawmakers can come to agreeable terms. Stay tuned, but for our sake, I hope not for long.

Wolfe_F131x175Frank Wolfe, CAE, is the CEO of HFTP and an inductee into the International Hospitality Technology Hall of Fame and a Paragon Award winner. He often speaks on hospitality and travel related issues. He is an author, speaker and an advocate of careers in hospitality technology or finance. E-mail: Twitter @frankwolfe. Or Facebook: Frank I. Wolfe. Co-written with Eliza Selig, HFTP Director of Communications who has worked at HFTP since 1999 (

You May Also Like

About the Author: Frank Wolfe