European Union High Courts Strike Down Safe Harbor – TokenEx is Prepared

Recently the European Union’s (EU) Highest Court struck down Safe Harbor, an agreement between the United States and the EU regarding the sharing of data between the regions for business purposes. From reports, there are approximately 4,500 US organizations that will be impacted by this ruling, including data vault and tokenization solutions like TokenEx.

Why Safe Harbor Agreement Was Ruled Invalid

While this decision is surprising considering that the Safe Harbor Agreement has been around since 2000, the EU Courts ruled that the agreement is invalid for two reasons: 1) The US cannot keep foreign entities from stealing data, including credit card data, and 2) The National Security Agency (NSA), due to their monitoring activities, inherently breaches the Safe Harbor Agreement for US companies storing privacy data about EU citizens and businesses.

The TokenEx Stance on The Ruling

TokenEx takes the stance that while the US Government may have trouble protecting EU data stored in the US, organizations that use the TokenEx Cloud Security Platform are very capable of protecting EU data, like tokenized credit card data, to ensure it is not breached by hackers.  Unfortunately, neither TokenEx or any other security provider has any control over NSA data surveillance policies.

TokenEx is Adhering to EU Guidelines

Since TokenEx provides tokenization and data vaulting services to a global customer base, we are carefully following new guidance from the EU regarding storing and transporting PII of European citizens. Our understanding from communications with the US Department of Commerce, is that this decision to strike down the existing Safe Harbor agreement does not mean that US businesses must delete all EU data today, disrupting existing business operations of both EU and US organizations. What it does mean is that the next version of Safe Harbor will include stricter controls on storing and transporting EU data across borders. Should the EU follow the regulations of other progressive governments like Germany, South Korea, and, more recently, Russia, TokenEx will still be able to store payment card information for our global customer base. Currently, payment data alone is not seen as personally identifiable, only in combination with other identifying data elements.

TokenEx Provides Custom Data Security Strategies

TokenEx provides the ability for our clients to tokenize only payment card data for international purposes, while retaining tokenized PII in country. If necessary, TokenEx has alternate strategies for its global customer base to employ that will keep both payment and identifiable data in country while securely tokenizing it. For example, if the EU decides that tokenized credit card data belonging to EU citizens is as sensitive as PII, then TokenEx has PCI-compliant hosting facilities in Europe that provide a physical storage presence in the EU for both types of data sets. To our clients this simply means that their business processes can continue as usual with their sensitive customer data securely and legally stored.

We know data privacy is a complicated matter for international organizations, so if you have any additional questions, please contact to discuss your Safe Harbor requirements. Follow us on Twitter and LinkedIn.

Topic(s): payments , data security , HIPAA , PCI DSS , PII , tokenization , GDPR

Keep Up With Our PCI & Privacy Blog