Safe Harbor. Aside from the American spelling, the phrase throws up images of ships safely in the port while a storm rages out on the seas. You could be forgiven therefore for thinking that the phrase has very little to do with transnational data processing laws; however, you would be wrong.
Safe Harbor is the name of an initiative set up by the U.S Department of Commerce in response to the EU Directive on Data Protection, which was subsequently implemented in the UK by the Data Protection Act 1998 (DPA). Admittedly, as the name suggests, it’s not the most riveting piece of legislation around. That said, it is an enormously important piece of legislation as it effectively governs how companies store and transfer data both inside and outside the EU.
In short, the EU Directive set out that any country outside the EU receiving data from a company operating in the EU would need to meet an ‘adequacy’ standard, in terms of privacy protection for European data subjects. So, by way of an example, a London (EU) subsidiary business could not simply send details of clients to the parent company in New
York (non-EU) without ensuring that the non-EU company was fully compliant with the European data protection rules. Unsurprisingly, this involved a series of complex data processing arrangements between companies and was, frankly, a very expensive and complex process.
Cue the creation of the Safe Harbor scheme; a scheme which allows certain U.S businesses to self-certify their compliance with the relevant EU data protection rules. A fantastically inventive solution to ensure that technology didn’t become a barrier to transatlantic trade, and a popular solution too with over 4,000 US companies self-certifying themselves under the Safe Harbor agreement.
However, last week the Safe Harbor agreement was caught up in a legal storm at the European Court of Justice of the EU when, unfortunately, the current agreement weathered about as well as a dinghy in the middle of the Atlantic Ocean in gale force winds.
Why was the Safe Harbor Agreement struck down by the Court?
Principally, the Court struck down the agreement due to concerns over the privacy of data transferred from the EU to the US; specifically in relation to the wide-ranging powers afforded to the NSA and other security agencies in the US. In essence, the Safe Harbor principles could easily be overruled by US legislation which effectively provides the US with carte blanche to protect its national security. Accordingly, the Court found that this did not provide the European data subject with adequate or effective legal protection. As a result, the Safe Harbor agreement was struck down by the Court.
The Information Commissioner’s Office (ICO), which regulates any dealing with data in the UK, has responded promptly to the case with, thankfully, a pragmatic stance; advising that companies will, of course, need time to react to the ECJ ruling and to make alternative arrangements – good news for UK companies currently transferring data back and forth between the US. Even better news is that work is currently underway to finalise and implement a Safe Harbor 2 agreement. However, until Safe Harbor 2 comes into effect (we’ve no doubt it will be implemented fairly swiftly), UK businesses should be very careful about sending data to the US; even inadvertently where data is stored on ‘cloud’ based servers which are, actually, located in the US.
What does this mean for businesses with transatlantic data dealings?
It almost goes without saying that the most obvious solution is to store your data in the UK on UK based servers. However, for some businesses this is simply not financially viable or practical. This solution also does not take into account businesses which need to transfer data to subsidiaries/parent companies based outside the EU.
For those businesses transferring data outside the EU, as ever, common sense prevails. If data is going to be transferred to the US or stored on US-based-servers then it is imperative that you make enquiries of the data storage policies that they have in place. Additionally you should check that the data is not going to be sent on to third party servers, particularly if these servers are in countries located in less well-regulated parts of the world.
By Aaron Bailey
The contents of this article are intended solely for information purposes only and should not be construed as legal advice or financial advice or opinion in any specific facts or circumstances.
© 2015 Hybrid Legal Limited.