And everyone looks surprised, says Tim Roe, Director of Deliverability and Compliance at RedEye. He chronicles the downfall of ‘Safe Harbour’
What did the ‘Safe Harbour’ agreement actually do?
In EU law (from which the UK Data Protection Act is drawn), a data controller who needs to transfer data outside of the European Economic Area (EEA) must do due diligence on where they intend to send the data to. They need to satisfy themselves that the data protection will be the same or better than provided within the EU. It’s quite an undertaking, because if anything goes wrong, it’s down to the data controller to prove they took all reasonable steps to ensure the data’s safety. If they can’t do that, they could well have broken the law.
It also counts if the personal data belongs to EU citizens and it is being gathered by a non-EU organisation, like Facebook for instance.
Enter ‘Safe Harbour’, an agreement between the EU and the US that allowed any organisation agreeing to the ‘Safe Harbour’ principles to be deemed adequate in relation to data protection. The principles of this agreement were developed between 1998 and 2000, with the European Commission rubber stamping the agreement in July 2000. This allowed EEA businesses to export data to the US with a clean conscience. It also allowed US companies to process data they have gathered on EU citizens. So what does a US data processor need to do to belong to this exclusive crowd of data protection stalwarts?
It might go something like this:
US data processor: Hey buddy, I want to join the ‘Safe Harbour’ crowd.
Buddy: Ok, you’ve got to do something first.
US data processor: Right… So what might that be then?
Buddy: See these data protection principles?
US data processor: Yeah.
Buddy: Just say you agree to them.
US data processor: Is that it?
US data processor: Ok…In that case, yes I agree. Count me in!
Buddy: Great news! Welcome to the club!
No promises, no guarantees…
Lack of protection
To add to the lack of substance in the ‘Safe Harbour’, the Court of European Justice has ruled that the ‘Safe Harbour’ agreement is invalid due to other more fundamental reasons. This is because the US authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress compromise individuals’ fundamental rights to respect for private life and to effective judicial protection*.
That suggests that not only is EU citizens’ data unsafe in the US but that US citizens are no better protected either.
The UK Information Commissioner’s Office (ICO) has already issued a statement, saying that negotiations on an updated ‘Safe Harbour’ are already in an advanced stage. However, seeing that the Court of European Justice ruling cites a disagreement with what is a key US security policy, this process is likely to go on for some time. For now, ‘Safe Harbour’ is finished.
What actions to take now
Does this mean the end of data transfers and processing across the pond? What happens now?
Well, apparently you don’t need to panic because there are a number of options available for organisations that rely on transferring data to the US. Here are some actions you could take now:
• Identify all of your personal data that goes to the US. This could be something like CRM systems or US based service providers
• Review the terms of the suppliers to see who relies on the ‘Safe Harbour’
• See if you can make alternative arrangements, such as using the model contract clauses (available from the ICO website) or binding corporate rules if you are a global business
There are likely to be many more options and much more advice in the coming weeks from organisations such as the Information Commissioner’s Office. Some service providers in the US have already issued new contracts including model contract clauses which binds data protection on a contractual level.
What happens next?
At first glance, the demise of ‘Safe Harbour’ will be little more than an inconvenience for many EU based organisations. But, if you are a US service provider who relied on ‘Safe Harbour’ to rubber stamp the gathering of EU Citizens data (such as social media platforms), things might not look so rosy.
The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject. But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection*.
And if they were informed, would they consent?
And, considering this as the Court of European Justice ruling, damming the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.
Nothing short of a complete revision of the US security regime regarding the surveillance of foreign citizens will satisfy the EU regulations. The EU regulations are formed on fundamental human rights, one of which is the right to a private life. That is not going to change, but it remains to be seen how far the US is prepared to compromise. The only certainty is that the next few months will be very interesting.
*This sentence was paraphrased from the official press release from the Court of Justice of the European Union.
This article appears on the RedEye blog.