Shock EU court decision threatens companies hosting data in US. Are you affected? by Katey Dixon, Forde Campbell LLC
n 6th October Europe’s senior court ruled that businesses who transfer EU citizens’ personal data to the US may no longer be able to rely on the methods they’ve used to date. This resulted in a flood of major US tech providers loudly shifting their data stores out of the US and into the EU: Amazon Web Services announced a new UK based cloud services region, and Microsoft has just committed to building up data centres in the UK and in Germany.
What’s the panic? The background is the severity of EU data protection legislation, implemented in the UK as the 1998 Data Protection Act. One of the legislation’s 8 data principles states that personal data should only be transferred to a non-EEA country if that country’s own data protection laws come up to a standard approved by the EU. Only 11 countries have been recognised so far by the EU. The US is not on the list. However, given the volume of trade between US and the EU (including the fact that the world’s largest data hosting services are US based), a compromise arrangement was constructed by the EU and the US Department of Commerce – the hubristically named “Safe Harbor” scheme. Safe Harbor allows companies in the US to self-certify that they implement adequate data security measures, and to be registered as companies allowed to receive EU data. However, following concerns over US intelligence monitoring of data, a test case argued that the Safe Harbor scheme was anything but secure. Austrian privacy activist Maximillian Schrems claimed that, in light of the Snowdon revelations, the transfer of the data of Facebook users from its international headquarters in the Republic of Ireland to the
US amounted to a breach of EU privacy laws. Schrems initially brought the claim against the Republic of Ireland data protection watchdog, the Data Protection Commissioner, who rejected his claim. The European Court of Justice reviewed the Commissioner’s decision. Its 6th October judgment ruled that businesses could no longer rely on Safe Harbor as a guarantee that a transfer of data to the US is legitimate. There’s a bit of legal ambiguity here: the ECJ didn’t say that Safe Harbor itself was invalid, just that the Republic of Ireland Commissioner’s interpretation was incorrect. This ambiguity has led to differing interpretations of the ECJ decision: the EU body representing all member states’ data protection agencies, the Article 29 Working Party, has said that any data transferred from the EU to the US which relies solely on the Safe Harbor Scheme is unlawful. However, the UK’s Information Commissioner is more relaxed. Perhaps in anticipation of the forthcoming Dad’s Army film the Information Commissioner’s Office has taken a less alarmist approach, with the advice “DON’T PANIC” written in large friendly letters on the Deputy Commissioner’s blog. The ICO suggests that businesses identify what data they transfer to the US, and determine whether the data really needs to leave the EU, before making any decisions. The ICO guidance hints that use of Safe Harbor won’t immediately be deemed to breach UK law, and that the issue of data transfer needs to be worked out over time – perhaps by structuring a “Safe Harbor 2.0”.
What’s the risk for Northern Ireland businesses? If a business collects personal data from an EU country (particularly from countries with the biggest data protection sticks, such as Spain or Germany), and sends it to the US (whether for commercial purposes or just because that’s where the business’ data host has its servers), there’s a risk that in the near future somebody will challenge this in the local courts and the courts may find the transfer illegal. This would make the business liable to fines and enforcement action, as well as forcing the business to restructure how it handles its data.
What should Northern Ireland businesses do?
data held about your employees, as well as the individuals your business deals with; • identify whether the data really needs to be sent to the US. If the US transfer is only because your hosting provider is based there, can the provider keep it in servers in the EU instead? (Many of the big name hosting services offer this as an option). If not, is there an alternative EU based hosting provider; • estimate the risk to the individuals whose personal data is transferred, were the data to be leaked in the US. Being able to demonstrate that you’ve carried out this risk analysis will be particularly important; • consider the use of alternative ways to transfer data to the US. One way is to have EU approved model contract clauses incorporated into your contracts with the parties who provide you with data: this sounds great, but in practice the clauses are lengthy, non-negotiable and need a bit of legal tinkering to incorporate. Putting the clauses into future contracts is relatively easy, but negotiating them into past contracts is much trickier – you’ll almost always need the consent of the other party, and they may well ask for a new benefit in exchange for including the data protection wording; • get explicit consent (in writing) from anybody whose personal data you’re transferring to the US. This may or may not be possible, depending on the number of individuals you’re dealing with. The ICO scrutinises the meaning of consent very carefully, insisting that consent must be freely given. In practice this means the individual must accept a very clear, easily understandable consent statement: opt-out boxes are a no-no. Particular care must be taken with employees, since there’s a presumption that the employment relationship prejudices the freely given nature of consent; • WATCH THIS SPACE! The ICO isn’t rushing to be specific. The good (?) news is that EU data protection law is due to undergo drastic change in the next few years anyway… Forde Campbell specialise in data protection law. If you have any concerns about transferring data outside the EEA, feel free to contact firstname.lastname@example.org or email@example.com
In the absence of explicit advice from the ICO, we’re currently advising our clients to: • work out what personal data you send to the US. Remember, personal data includes
Business First January 2016