Who in the world is handling your data? Maybe Joshua Crass in Oregon has it on this Facebook Data Center Server Board. Photo by IntelFreePress on Flickr
You may not think that much about where all the personal information you share on Facebook is physically stored, but because each country has different rules about the data stored within their territory, this global data sharing is presenting a complex challenge for anyone involved in personal data collection and storage.
The rules in the EU are different from those in the US, yet millions of Europeans are sharing their data with companies whose computers are located in America, and thus who are subject to different rules on who can access that data.
The EU places strict limitations on transferring data overseas and up till now, an arrangement called Safe Harbor has been used to allow US companies to store a European citizen’s data without having to have individual case-by-case agreements with all parties. The Safe Harbor scheme is a set of principles and rules for processing personal data.
US organisations wishing to transfer personal data from the EU to the US may subscribe to the scheme voluntarily with the US Department of Commerce. An agreement was reached between the US and the European Commission in 2000 that US companies that subscribed to Safe Harbor would be considered to be operating within the requirements of the European legislation requirements.
However, following Edward Snowden’s revelations of the levels of interference with personal data by American security agencies, it has become apparent that data protection in the States is incompatible with EU data protection laws.
A certain Mr Max Schrems of Austria brought a challenge to Facebook in Ireland through the European courts. Does Facebook, which stores a lot of data in the States, ensure that a European’s data is looked after correctly according to EU regulations?
As a result of this case, the European Court of Justice has declared that this Safe Harbor agreement is invalid for failure to comply with Article 25(6) of the Data Protection Directive. Safe Harbor no longer provides sufficient protection to European citizens when their personal data is transferred to the USA.
So the 4500+ companies that are relying upon it to cover the transfer of information from Europe to the US will have to put in place alternative mechanisms.
Facebook must also be investigated further by the Irish Data Protection Commissioner (DPC). If the DPC decides that Facebook’s activities have not provided adequate protection for European Facebook users, then it may suspend transfers of personal data to American servers with immediate effect.
Are many businesses affected?
The ruling is far wider than just Facebook and other tech giants. There is as yet no allegation that Facebook has done anything wrong but as Safe Harbor has been ruled invalid then thousands of businesses have significant work to do!
As stated, some 4,500 US companies are currently signed up to Safe Harbor. They will now have to put in place alternative means of ensuring that they comply with the European data protection legislation.
But many other companies also send data about their employees and their customers to the US. Companies with a US parent often use IT systems located at the US headquarters to administer personal data such as HR and CRM.
Likewise, significant numbers of companies outsourcing their IT systems to cloud service providers which frequently use US-based servers to store the data. Even companies that, for example, send payroll data to the US for administrative purposes will be caught by the collapse of Safe Harbour.
What will we do instead?
For businesses operating in Europe and the USA, the significance of this decision should not be under-estimated. Transfers of personal data from Europe to the USA made solely on the basis of the protection afforded by the Safe Harbor Agreement are no longer compliant with data protection law, so clearly any organisations that have been relying on Safe Harbor will now have to find another way to comply with their data protection obligations.
The most common response will be to sign up to model contract clauses. However, this will cause an administrative burden. Particularly as the collapse of Safe Harbour has the following effects:
- Individual European countries can set their own regulation for US companies’ handling of their nationals’ data. This means that US companies may have to comply with different regulations for each European country. This will mean numerous different contractual requirements;
- Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country. Russia has recently introduced this requirement and others may follow suit.
So, if affected, your buisiness needs to consider:
- Can the transfer of data be suspended? Can you move all your data storage to the country in which you operate?
- Where transfers of data to the USA are still necessary, consider putting in place model data protection contractual clauses in respect of those transfers
- or set up corporate rules in respect of intra-group transfers of data.