Do you transfer data to the US?
The European Court of Justice (ECJ) recently ruled that Safe Harbor, a scheme set up to regulate the way in which US companies handle the personal data of European Citizens, does not satisfy the requirements that need to be met to safely transfer data to the US.
The judgment affects how organisations in the UK (and the rest of the EU) transfer data to the US. This could refer to data held online by internet service providers (ISPs) or in cloud-based services, if hosted by US providers.
Read on for a step-by-step guide to the ruling, what it means and what steps you need to take to ensure you are compliant.
What is the Safe Harbor Scheme?
The Safe Harbor Scheme was set up in 2000 as a voluntary scheme to regulate the way in which US companies export and handle the personal data (such as names and addresses) of European Citizens.
Monitored by the US Federal Trade Commission and the US Department of Commerce, the Scheme uses a similar code of practice to the Data Protection Act (DPA) 1998 in the UK.
Organisations in the UK that transfer data (see examples of types of data in the key points section) to the US have relied upon using the Safe Harbor Scheme in order to stay compliant with English and EU law.
What does the ruling mean for you?
The ECJ has ruled that the Scheme does not satisfy the requirements that need to be met to safely transfer data to the US.
Consequently, the ruling means that existing contracts or arrangements in place that use Safe Harbor when transferring data to the US will not be compliant with the law.
Going forward, organisations must be aware of this decision when entering into any new contracts or arrangements which include dealing with the transfer of data to the US, and organisations must know how to stay compliant.
What do you need to do?
If your organisation transfers data to the US, follow our step-by-step guide to what you need to do:
Review your contracts and identify if any involve transferring data to the US:
- Do they rely upon Safe Harbor?
- If yes, you must find an alternative to ensure the transfer of data meets the standards set out in the DPA to comply with the ECJ decision
- An alternative is to use the "Model Clauses" provided by the EU to allow customers to comply with the EU’s Data Protection Directive relating to cross border transfers of personal data
- To do this, you will need to either enter into a new contract with the organisation which you transfer data to; or enter into a variation with the other party, which varies existing terms of the contract in order to incorporate the EU Model Clauses
- You should also carry out an Adequacy Test. Guidance of an Adequacy Test can be found on the Information Commissioner's website.
You'll also need to review your other contracts to ensure that where they refer to the transfer of data, regardless of whether US-based or not, they adhere to the standards set out in the DPA and also incorporate the EU Model Contractual Clauses.
It's your business but we can help. We'd be happy to help you further understand your obligations under the Data Protection Act, its Principles and how the Safe Harbor ruling may affect your business. To start a conversation please contact Debbie Venn, Partner and Head of Technology, Media and Telecommunications.
Published: 20 Oct 2015