If you are reading this article then you may already have heard the news that the EU / US ‘Safe Harbour’ agreement has been declared invalid by the European Court of Justice. You may also have no idea what this means – or what, if any, relevance it has to you. Well read on and hopefully we can explain…
So to get started lets explain what the Safe Harbour agreement is. It is essentially a set of rules agreed between the US and other countries, who have concerns about privacy of data held in the US. There are agreements with both Switzerland and the EU. The EU agreement essentially gave US companies a framework that they could certify themselves against to demonstrate that they provide EU levels of data privacy should they transfer data to the US.
The recent ruling stemmed from a case brought by Austrian privacy campaigner Max Schrems, specifically citing data held by Facebook, who argued that the existing safe harbour agreement did not provide adequate protection to data in the wake of the Snowdon allegations.
So what does this mean for your business?
Essentially not a great deal changes. Many hosted business data services run by US businesses are hosted in the EU anyway. For those that are hosted in the US, but accepting EU data, it is expected that will put in place individual ‘Model Contract Clauses’ which will cover the safe transfer of data outside of Europe. But you should check with your service providers if you are concerned.
Businesses who outsource processing of personal data to US businesses (for example processing marketing or payroll data) and previously used suppliers who were certified under safe harbour will have to reassess their suppliers following this ruling. However a more likely impact will be the price of using US based cloud providers as they take on increased costs of either implementing Model Contract Clauses or building EU based data centres.
The much bigger impact will come around how US businesses can handle your personal data as you browse and use US based internet services, such as Facebook and Google. But exactly how this will pan out is yet to be seen.
Regardless of this recent ruling, if you are a UK business processing personal data you are still bound by the data protection act which states that you must take ‘appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. So as a starting point you should know where that data is held – an audit is best practice if you have not already done so.
For more information on data protection and your responsibilities, contact us on 0845 507 0846.