Don't panic, biz bods: A guide to data in the post-Safe Harbor world
Sweat the details
The Safe Harbor agreement this week suddenly became of interest to a lot more IT managers than had previously given a stuff about it.
But what is Safe Harbor, exactly?
The Safe Harbor agreement between the US and the EEA - which comprises the member states of the EU plus Iceland, Norway and Liechtenstein – dating from 2000, had provided a convenient way for companies with European presence to transfer data to the US.
Instead of having to meet the individual requirements of each of the European countries from which data was being exported, you simply needed to demonstrate “adequacy” in your data protection processes and policies in order to gain a blanket approval for transferring data to the US from any or all of the EEA states.
Now, after various challenges and reviews of the agreement over the years, the European Court of Justice has ruled Safe Harbour unsatisfactory and chucked it in the bin.
The thing for IT managers to bear in mind about the EU-US agreement is that it was just that: a specific agreement that made life easier for data transfers to (which really means data storage in) the US in particular.
As the cover of a well-known stellar information book might put it, though: don't panic. Yes, if you'd relied on the agreement you need to review the adequacy of your protection processes now it's gone. But it doesn't mean you have to rush and do anything daft.
Let's have a look at what the Information Commissioner's Office (ICO) says about sending personal data (and it's primarily personal data we're talking about) outside the EEA. The ICO's guide to data protection (well worth a read) has eight principles. Principle eight, “Sending personal data outside the European Economic Area”, for example, contains a ten-point checklist which tells you to ask yourself things like::
“Have you complied with all the other data protection principles?” and: “Is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data?”
The “EU Commission’s list of countries” mentioned is here – there will be some smug Canadians right now since their country's on there while the US's inclusion is now dodgy thanks to Safe Harbor being rescinded. The point is, of course, is that compliance with Safe Harbor is just one of the ways of transferring data legally.
Stepping back for a moment, I’d mentioned that when exporting data you need to be mindful of the “adequacy” of your protection mechanisms and policies. The ICO is very keen on this word – and no surprise, as it has a document here (PDF) that tells you all about how to determine what's adequate.
This document is helpfully reassuring, as it tells you that you need to be mindful of privacy requirements: “If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a positive finding of adequacy by the Commission, nor signed up to the Safe Harbor Scheme”.
DIY data protection
Now, I'm not a lawyer, but my reading of the last eight words is that you simply need to assume that no country's signed up to the Safe Harbor Scheme (since it's not valid any more) and simply press on with your consideration of how to maintain privacy. And the guidelines are pretty simple:
- Do a proper risk assessment. Nothing difficult there, you'd have had to do it with Safe Harbor anyway (albeit that it'd probably have been a bit less onerous).
- If you don't think the place you're transferring to is well-enough protected, add your own safeguards.
- Check out the eighth principle of the ICO guide and see if you can use any of the exceptions it offers.
The ICO helps you out with the second point, incidentally: it provides guidance for model clauses (standard contract clauses for which they provide templates) or binding corporate rules (which enable something similar to what the Safe Harbor process provided in terms of a multi-state umbrella arrangement but which need to be registered on a fairly onerous company-by-company basis).
So, then, what does the average IT manager need to do about the new Safe Harbor ruling?
- Don’t rush into anything. As the ICO said about the need for companies affected by the ruling to amend their setups: “We recognise that it will take them some time for them to do this.”
- Remember, Safe Harbor is just one of the ways you can legally transfer data outside the EEA – and that it only affects transfers to the US. If you have locations outside the EEA and US to where you transfer personal data, you'll already be working with the rules that relate to those exports. We've mentioned the three steps you need to follow – just start by using them.
- Be happy you're not trying to move data from the US. Its data export regulations are incredibly tedious, to the extent that you don't even have to move the data out of the US for it to be considered an export.
Finally, one thing you ought to read on the subject, it's the ICO's short response to the ruling. In a couple of pages, here, it sums up superbly the implications of the ruling and how to proceed. ®