The European Court of Justice ruled in October 2015 that its ‘safe harbour’ agreement with the US, that allowed the transfer of EU citizens’ data to the US, is no longer valid because it does not adequately protect consumers. This decision was made in the wake of the Edward Snowden revelations regarding mass surveillance by the US government of personal data held in the US. Now this agreement has been considered invalid, US companies can no longer rely on self-certification and must find another means to guarantee an adequate level of protection.
Companies most likely to be affected are those which use US-based cloud services to store or process their personal data. They will need to consider other options, such as seeking consent from data subjects, using BCRs (binding corporate rules) for intra-group transfers or getting the US cloud providers to sign up to EU approved ‘model’ contract clauses (which guarantee an adequate level of protection).
As a result of this ruling, businesses that are transferring personal data to the US could find themselves in breach of the 8th principle of the Data Protection Act 1998. This could lead to investigation by the Information Commissioner, fines and unwanted media attention. In order to reduce the risks posed by this we advise you to:
- Carry out an assessment of what personal data you transfer to the US (through the Safe Harbour arrangement). Do not forget to check the location of any subcontractors that your suppliers use in the background!
- Assess and put in place the most suitable alternative to Safe Harbour; and
- For sensitive data, use encryption if possible when transferring personal data to the US as this anonymises the data which means it is not caught by the legislation.