Safe Harbor Update: What you need to do NOW
Dec 21, 2015
Author: Alison Berryman
As discussed in our last newsletter, the European Court of Justice has effectively ruled the ‘Safe Harbor’ agreement between Europe and the US invalid. This means that European businesses can no longer use this as a way to show that the protection offered by a US company is “adequate” for the purposes of the Data Protection Act 1998.
Therefore, from 31 January 2016, any business transferring personal information to a US service provider (which includes any use of very popular online services, such as Amazon Web Services, Salesforce.com, SugarCRM and MailChimp) risk being fined if they do not put the correct alternative measures in place.
What does this mean for your business?
You may believe that this ruling doesn’t affect you, because you do not transfer any personal information to the US. However, with over 4,000 companies registered under the Safe Harbor agreement – many of whom provide online, digital and hosting services to European businesses – you are more likely to be affected than you might think. If you input any personal information, either of your customers, prospects, staff, suppliers, or anyone else, to an online service, then you should check where they are based and the steps they are taking to provide adequate protection, in the absence of Safe Harbor.
What should you now do to protect yourself?
- Identify all of the online services you are using into which you might input personal information.
- Work out where these providers are based. Usually a quick look on their website will provide this information.
- If they are outside the EU then you need to check whether the protection they afford is “adequate” for the purposes of the Data Protection Act 1998. This can usually be done by looking at their privacy policies. A few examples can be found at the following URLs:
If this is the only way in which they are protecting personal information (and Salesforce.com and SugarCRM, amongst many other seem to be in this position at the moment) then, as discussed above, this will not be adequate.
b. The current simplest alternative is to put in place a data processor agreement containing the EU prescribed “model clauses” with your service provider. This can be agreed between the parties to contractually bind the service provider to the applicable laws. Some companies, such as Amazon and MailChimp, have already put in place a standard form contract for their customers to sign up to. Others will be happy to sign a document sent to them by you, their customer.
c. Another option is for the service provider to put in place “binding corporate rules”, which would allow them to share information from the EU with parts of the organisation outside. This is a complicated and time consuming process and is primarily carried out only by the largest multinational corporations.
5. If your current service provider does not provide adequate protection for personal information then you have a number of options.
a. As mentioned above, you should identify whether they have provided a data processor agreement for their EU customers – if they have done so then the easy option is for you to execute it (having first checked that it is drafted correctly!).
b. If the service provider has not offered to provide a data processor agreement for their EU customers off its own bat, you could still ask them to do so to see whether they will comply – you need to do this promptly as the deadline of 31st January 2016 is fast approaching!
c. As an alternative, you could ask the service provider to sign a data processor agreement that you have prepared for them. This might make sense if you have a number of different non-EU services providers as they would all then be signed up to the same terms.
d. If none of the above options are available then you may need to move to a different service provider that can give the necessary assurances.
What can Waterfront do for you?
We can advise you on all aspects of data protection and the Safe Harbor ruling. In particular, we can look at all of your service provider arrangements and tell you whether there are any that do not comply with the law. We also routinely draft and review data processor agreements and can therefore assist you with ensuring the compliance of your overseas service providers.
Do not delay! As mentioned above, the Information Commissioner’s Office has agreed that until 31st January 2016 no action will be taken in respect of non-compliance in light of the Safe Harbor ruling, however, after this data the ICO may commence enforcement action against any businesses that continue to transfer data to the US under the Safe Harbor regime without putting in place any other protective measures. Such enforcement action could take the form of significant fines (the ICO has the ability to award fines of up to £500,000).
If you have any questions about the issues raised in this blog, call Alison Berryman on 020 7234 0200 or e-mail firstname.lastname@example.org.