Problems for Companies using US based Servers with the demise of the Safe Harbour
17th February 2016
Many companies transfer personal data to the US either deliberately to access services or as part of a corporate group’s arrangements but many others do so incidentally through the use of US based servers, commonly as a result of using third party CRM, payroll or web-shop software. As the US does not have the same level of data protection as we enjoy in the EU some provisions must be put in place to ensure that where the personal data of EU citizens is transferred to the US it is handled with the same degree of care as we would expect at home. This has been achieved through contractual terms or more commonly by using the Safe Harbour provisions where the US entity receiving the data self certifies that it complies with certain rules for handling personal data that have been agreed with the EU as being sufficient – the Safe Harbour. In recent years however there has been growing unease that perhaps the Safe Harbour provisions do not in fact offer the required level of protection. This has led some organisations to move to service providers based in the EU or that guarantee to use EU based servers, others have entered into specific contracts with the US provider. The situation has been brought to a head by a decision of the European Court in the case of Maximillian Schrems that the Safe Harbour provisions are indeed inadequate. Where does that leave companies that have been relying upon them?
At the political level negotiations are underway to produce an improved version of the Safe Harbour. These negotiations actually started some time ago but the court decision has clearly given them a new urgency. Businesses of course must decide what to do in the interim as for most simply ceasing to transfer data meantime is not a practical option. The EU Working Party has said that data transfer that relies solely on the Safe Harbour is now illegal and this seems to be the agreed position at a national level too although there is considerable variation in the likelihood of prosecution of companies that continue to permit transfer on these terms. The UK ICO seems the most relaxed and is encouraging companies to make their own risk assessment as an additional safeguard but really how practical is that for an SME contracting with a multinational data handling organisation?
The obvious thing to do would be to move from the Safe Harbour to contracts based on the Model Clauses http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm for third party arrangements and Binding Corporate Rules http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm for intra company activity. Many companies will already be familiar with these structures for dealing with transfers to countries other than the US that are considered to offer less protection that the EU for personal data. Again it may be difficult for an SME to agree specific terms with a much larger organisation while a further problem with this approach is that the Working Party is currently looking at the acceptability of these guidelines and is expected to make a ruling within the next few months. The mass surveillance of data transfer undertaken by the US government has already been highlighted as a potential hurdle to the Working Party’s approval of this approach. Another option is to get very detailed consents to your forms of data handling from those individuals affected. This is unlikely to be considered sufficient on its own but as part of a series of protective actions should be considered.
What then should you do? Firstly look carefully to see if you are making US transfers and if so are you currently relying on the Safe Harbour. If you are consider whether continued transfer is necessary. If it is then look to move to the Model Clauses or BCRs as the case may be. If you are dealing with a very large third party ask them what they are putting in place as they may be able to offer a Model Clause based contract. Supplement this with detailed consents from all those involved. If you remain concerned take legal advice.