Why is Safe Harbor still being used?
In October this year an Austrian law student by the name of Max Schems earned his 15 minutes of fame. In a legal case brought against the Irish Data Commissioner he forced the European High Court to invalidate the Safe Harbor agreement.
For the last 15 years the agreement has allowed US companies to transfer personal data about EU citizens outside the EU, as long as they complied with the rules of the agreement and engaged with a dispute resolution party such as PrivacyTrust.
However, with the revelations from Edward Snowden and the Prism system, it quickly became clear that EU data was vulnerable to US government access.
However when the court declared that Safe Harbor was no longer a safe method, what they did not do is replace it. Instead that was left to the data authorities to wrangle.
Even as I write this Safe Harbor 2.0 is in the works, with no clear date or indications as to its content.
In the meanwhile the US Dept of Commerce has continued to administer the system, and surprisingly companies have continued to use it. The reason for this is simple, despite what Mr Schems or the courts may have you believes its still a good benchmark for Data Privacy. Its provides a sound framework for companies seeking to transfer data across international boundaries, and while Binding Corporate Clauses (completed) and Model Contracts (time consuming) have been touted as a replacement, neither of them are as flexible as Safe Harbor was.
For this reason thousands of companies are still clinging to its guiding principles, and thats one of the reasons why despite its end in October, Safe Harbor continues to fight on and until version 2.0 is released, it will probably continue to do so.