EU Safe Harbor and Privacy Shield: Timelines, Deadlines and Red Lines
Published 03/16/2016
What has happened since safe harbor was declared invalid and what’s next?
By Nigel Hawthorne, EMEA Marketing Director, Skyhigh Networks
As a quick reminder, Safe Harbor was the primary legal mechanism that allowed US-based companies and cloud providers to transfer data on European individuals to US data centers, however this mechanism was declared invalid by the European court on September 24, 2015.
It’s been five months since then and here are the main changes made by companies, negotiators, data protection authorities and lawmakers since then.
Most US-based organisations have looked at their mechanisms for transferring data and either adopted EU Model Clauses, Binding Corporate Rules, or new terms and conditions – as an example Salesforce issued new terms the day after the judgement; they were obviously ready.
More cloud providers have opened European-based data centers, (or “centres”, as they are referred to in the UK!) allowing data to stay in Europe, for example Skyhigh’s own announcement and Microsoft’s announcement jointly with Deutsch Telekom.
The various European data protection authorities that make up the EU Article 29 Working Party issued a statement on 16th October naming a deadline of the end of January for negotiations to come up with a new plan with the threat that otherwise the data protection authorities “are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”.
Some of the data protection authorities issued their own news with advice for companies; this one from the UK’s ICO puts the story in context and is very helpful.
The negotiators just missed the end of January deadline, but a few hours before the Working Party was to meet and decide their actions, The EU-US Privacy Shield was announced. Frankly, there were few details at the time, so it was probably issued to hold off actions from the data protection authorities and buy a bit of negotiating time.
Another blog from the UK’s ICO makes clear that their position is to wait and see what happens “We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome”.
Move forward to February 29 and the European Commission published their FAQ fact sheet on the EU-US Privacy Shield that fills in many of the details needed. It shows that US organisations have stronger obligations, there are clearer safeguards, EU citizens have the right to redress, and the US has affirmed that there is no mass surveillance of data.
This isn’t the end of the process, but we continue down the road. The next steps are that the EU member states, the data protection working party (WP29) and the college of commissioners all need to approve the text for ratification, which is expected in June 2016.
If that happens, there could still be another claim back to the European Court of Justice that the framework is not strong enough and once the new EU GDPR (General Data Protection Regulation) becomes law in 2018, it is likely to be reviewed again.
There’s certainly been a lot of talking in the months since Safe Harbor was declared invalid. The situation isn’t completely clear, but no one with data on European individuals should be complacent in expecting that data privacy problems will all just go away.
Anyone with data on individuals in the 28 countries of the EU should consider how it is gathered, the opt-in given to users, how it is transferred, which cloud services hold that data, where those cloud services are based, where they store the data itself, which employees and third parties have access to that data, and the legal and privacy policies in use. Enterprises must look at the mechanisms being used to track the movement of data, the security technologies deployed, and the education of employees.
Ultimately, if you collect data, you are responsible for keeping it safe and the policies and mechanisms to ensure it is not lost. Transferring data from the EU to the US requires careful handling and organisations need to be able to follow the data that their users may be accessing. Outsourcing computing to the cloud may transfer personal information of EU individuals outside the EU, specifically to US cloud service providers. In this case, the employer needs to be able to track, log, manage and even block transfers made by employees if the appropriate legal and technical mechanisms are not in place to keep that data secure.