So, the Safe Harbour Act ensures we, as EU citizens, are afforded protection of our privacy, including the protection of our personal data. The EU therefore forbids its citizens’ personal data from being sent to places that don’t guarantee “adequate” privacy protections. How did it come about? Back in 2000 the Safe Harbour agreement came into force to give assurances that any data sent outside the EU to data centres in the US would be properly protected. It effectively meant that US firms could hold the data they collected from EU citizens in the US if they complied with agreed principles around storage and security.
Businesses in the US (now about 4,000) self-certified according to Safe Harbour guidelines and thus organisations such as Google, Microsoft and Facebook could take our data and hold in their non-EU data centres. We felt ‘safe’ in the knowledge that our information shared in the UK or EU, which we knew was going to the US, was protected from spying eyes.
Well in 2013 Ed Snowden put pay to that naïve idea, but we carried on with Safe Harbour. Then, following Max Schrem’s challenge in October 2015 in the European Courts of Justice on the validity of the Safe Harbour Agreement, it was deemed invalid due to the uncensored mass surveillance allegations of the US enforcement agencies. As a result, a new Safe Harbour needed to be agreed or those large US organisations mentioned above might be in a very precarious situation taking EU personal data out of the region. Would they have to make the costly investment of duplicating DC infrastructure in the UK?
Clearly hedging bets, AWS and Microsoft made new notifications the month after.
Now, some months later in February 2016, a new ‘EU-US Privacy Shield’ or Safe Harbour 2.0 is in our midst with details still to be decided. . Is it better?
- Well, organisations still need to self-certify.
- An independent Ombudsman has been appointed for concerns or complaints.
- And the US has given binding assurances that public authority access for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, with transparency for law enforcement agencies.
Do I sound sceptical? Just days later we hear the FBI is asking Apple to change the iPhone OS to enable it to hack iPhones, under the guise of fighting terrorism, but potentially indiscriminately. This doesn’t engender my trust.
The EU-US Privacy Shield has yet to be laid down. I suspect some negotiation is still required. That leaves us in bit of a no-man’s land and clearly not everyone is willing to wait. The French CNIL (Data Protection Agency) has given Facebook three months to comply with data protection requirements or face sanctions.
So, do you need to be more careful when sharing your personal information? As a business, do you need to consider more thoroughly where you put your data or the data you have on your customers, funders, investors and employees? Should you consider encryption to protect your data wherever it may reside?
How much do you need to be worried about this?
It’s clear more discussion is needed, particularly after the specifics of Safe Harbour 2.0 are set out. We’ll keep you updated and welcome your comments.