Wednesday, 25 November 2015

The End of Safe Harbour: Check Your Data

Safe Harbor was a self-certifying arrangement whereby a company in the US (for example) would be able to provide protection for data stored there by EU users under the EU Data Protection Law. Hence the name - "safe harbor".

The Safe Harbor principles were agreed to on the basis that, even though U.S. law would not change, the private companies who signed up to the Safe Harbor list would adhere to the rules set out by the EU.

These rules included, but were not exclusive to, the EU enabling access for private organisations in the US to an individual's data upon request, and assurances that data security was effective enough to guarantee data protection. It was neat because it was self-certifying and did not therefore rely on lawyers to draw up contracts. However, there was mounting criticism of laxity even before the EU ruling.

The current situation is that what might be termed “Safe Harbour 2.0” is in progress at the time of the ruling. It is clear that this ruling will act as a bargaining point for stricter regulation of data transfer.

While the current situation has been prompted by a particular Court ruling, it has become clear from the revelations by Edward Snowden that breaches of Safe Harbour by the USA have been going on for some time on a regular basis.

“A company in Europe may run afoul of these rules if it uses a U.S. service provider that it sends data to, such as for email marketing. Or it might run afoul of these rules if it sends data to a U.S. subsidiary,” explains Daniel Castro of the Information Technology & Innovation Foundation.

The collapse of Safe Harbor does not mean the end of legal transfer of data. The EU commission itself says that other mechanisms can be used, and EU Model clauses are one such mechanism which they themselves suggest. In the meantime, there is a period of grace until 31 January 2015.

But in the meantime, business users in Jersey should question where their Cloud data is held, and how it is protected. This covers everything from online accounts packages like Quickbooks Online and Xero, to email systems using Hotmail and Gmail. etc.

Basecamp has this to note:  If you live in the European Union and store personal data in your Basecamp account, or you use your Basecamp account to do business with EU residents who may provide personal data, then the ruling on Safe Harbor may affect you.... We are currently in a grace period from enforcement groups through the end of January 2016.

I've not been able to find anything about Quickbooks Online, which is worrying.

It appears that Xero, perhaps because of its origin in New Zealand,  has not just relied on Safe Harbour but has also been using EU Model clauses as a backup in case there were problems with Safe Harbour, and these satisfy the requirements of data transfer from the EU to the US. It is highly likely that they knew the weakness of Safe Harbour and decided to reduce their risks accordingly.

A Xero Community Manager has stated:

"Like many SaaS companies, we use top-tier, third party data hosting providers' servers to host our online and mobile services. Our providers Amazon Web Services, Microsoft Azure, and Rackspace are located in the US. For our European and other non-US customers, it means that personal information is transferred to those hosting providers’ servers in the US.  To confirm, we have in place EU Model Clauses with each of these hosting providers, which continue to be recognized by the EU as a means of satisfying the requirements relating to the transfer of data from the EU to the US."

However, these model clauses will be placed under additional scrutiny and may have to be tightened. The particular reason is that the USA’s National Security Agency may well “ride roughshod” over them just as it did with Safe Harbour. But for the moment, they remain an alternative safeguard, and Xero clearly complies with those.

It is worth noting that for many other countries outside the USA, there were no “Safe Harbor” arrangements, and “model clauses” and “binding corporate rules” were always necessary to do business. The UK Data Protection guidelines state:

“Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.”

“The European Commission has approved four sets of standard contractual clauses (known as model clauses) as providing an adequate level of protection. If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of adequacy.”

“Another option is to adopt binding codes of corporate conduct, known as binding corporate rules or binding corporate rules for processors (BCR). This option only applies to multinational organisations transferring information outside the EEA but within their group of entities and subsidiaries." 

"These rules create rights for individuals, which can be exercised before the courts or data protection authorities, and obligations for the company. In all cases, the rules are legally binding on the companies in the multinational group and will usually be made so by unilateral declarations, intra-group agreements or the corporate governance of the group. To use BCR to transfer personal data freely within your group, they must be approved by all the relevant European data protection authorities who will co-operate with each other in assessing the standard of your rules.”

There is no need for immediate concern, but if your business uses cloud based storage of data, including personal data on individuals , the you need to consider where your data is held and what protective measures have been put in place.

1 comment:

James said...

Mailing lists too - who uses Mailchimp?