European Union (EU) privacy law forbids the transfer of personal data to countries outside of the EU unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. In 2000 the ‘Safe Harbour Agreement’ was signed between the EU and the US.
What is the Safe Harbour Agreement?
Under the agreement, U.S. companies storing customer data could opt-into the program and be certified if they adhered to seven principles, 15 frequently asked questions and answers per the Directive to comply with the EU Data Protection Directive and with Swiss requirements.
This entails self-certification, renewable in writing every 12 months after self-assessment to verify it still complies with the principles. The Federal Trade Commission manages the Safe Harbour under the oversight of the U.S. Department of Commerce but he U.S. government does not regulate it. It is self-regulated by its private sector members.
That is until the European Court of Justice (ECJ) invalidated the EC's Safe Harbour Decision on 6 October 2015. Their decision was based on the opinion that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".
How did the ECJ judgement come about?
An Austrian citizen, Maximillian Schrems, made a complaint in the Irish courts regarding Facebook’s processing of his personal data from its Irish subsidiary to servers in the U.S.. He complained that "in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities." The Irish courts sent the complaint to the ECJ who held the Safe Harbour Principles to be invalid as they provided insufficient guarantees as the companies opting in were "bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements."
Furthermore, cloud data, regardless of where it is, is not protected against the Patriot Act, an Act of Congress that was signed into law by President George W. Bush on October 26, 2001. In 2012 a legal research supported the notion that the Patriot Act could allow U.S. law enforcement agencies to bypass EU privacy laws.
How long do we have?
The application of the ECJ decision is with immediate effect and the Safe Harbour Principles are no longer in force. U.S. companies can no longer rely on self-certification and alternatives have to be found.
What next, then?
U.S. companies wishing to send EU personal data across the Atlantic must seek “model contract clauses” in each individual case. Model contract clauses are standard contractual clauses as offering adequate safeguards for the purposes of Article 26(2) (Article 26(4) of the Directive Model Contract clauses – International transfers of personal data 20120228).
The same procedure will apply to cloud services based in the U.S.
Some U.S. companies are setting up data centres in the EU to handle EU personal data.
Whilst we are waiting for a new safe harbour agreement to be put in place, encryption may hold the key. Encrypting the data before it is sent to the cloud removes any issue arising from personal data protection.
Web Consulting Team has its own private servers located in the EU (Netherlands), so fall outside of any issue mentioned above. They run on the latest technology and have a high degree of security.
Our private servers are reserved exclusively to our customers offering them great access speed to their data, websites and emails.
If you want to speak with Guy directly, dial +44 (0)20 7589 4721