This week the European Court of Justice ruled that the transatlantic Safe Harbour agreement, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe is now invalid.
What is the issue?
Since 2000, the ‘Safe Harbour’ pact has enabled US Companies to self-certify that they conform to EU data protection rules. This has been necessary as US data protection legislation does not meet EU standards. In the EU, data privacy is treated as a fundamental human right, whereas in the US, ‘other concerns’ sometimes take priority.
The Safe Harbour pact was designed to provide a ‘streamlined and cost effective’ way for US firms to get data out of Europe without breaking the rules. But Edward Snowden’s NSA leaks showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe. As a result of a challenge in the wake of these leaks, the European Court of Justice has now ruled that personal data may not be transferred to US companies purely on the basis of Safe Harbour certification.
According to the new ruling any organisation that wants to export personal data must draw up and sign Model Contract Clauses (available from the ICO website). This is not just a paperwork exercise but may have significant implications with respect to liability for breaches. US organisations must also now ensure that not only their paperwork, but also their practice, conforms to EU requirements. This will have a significant compliance and assurance overhead for organisations who are party to transatlantic arrangements involving personal data.
There is likely to be a significant amount of contract and legal work to ensure companies fall in line with the legislation. Organisations on both sides will also need to review their compliance frameworks to ensure that appropriate levels of assurance are maintained.
What do we need to do?
The first thing that any organisation should do is to conduct a risk assessment to identify whether any of the personal data for which they are responsible is being stored in the US. If they are found to be exposed, then they should take steps to ensure that appropriate contractual and compliance arrangements are in place to protect the data.