Stormy Seas Ahead
09 December 2015
Unless you are an IT professional or data protection specialist, you may not have heard of Safe Harbour. The question is – should you have?
The answer is, yes. The Safe Harbour agreement has more of a direct effect on your personal data than you may think.
As discussed previously by our colleagues in various opinion pieces, Safe Harbour was the regulatory framework between the US and EU ensuring US companies complied with European data protection principles when receiving European data. It was recently declared invalid by the European Advocate-General, making it difficult for the many companies that have been relying on this agreement for the past 15 years to ensure that their levels of data protection met EU standards.
When you think about what kind of organisation is likely to transfer your data to the US, social media platforms and the like will invariably spring to mind. For those organisations that are US based and provide services we in the EU use daily, and given the large volume of data they collect, it is inevitable some of it will be transferred and stored in the US.
But the transferring of data across borders isn't just limited to US based companies. Many quintessentially British companies also send data outside of the EU. High street retailers for example are often registered as companies authorised to transfer data outside of the EU. That is because retailers often gather data on the sales patterns of their products and call on data analysts and consultants – often based overseas – to provide recommendations to maximise revenue.
Bookmakers including online betting sites are equally reliant on data analysts from all over the world to develop algorithms to ensure they offer the best odds. This means a trip to your local bookmakers results in your data being included in a database shared with overseas consultants.
The Safe Harbour agreement made these transfers possible in compliance with the Data Protection Act 1998 (DPA). Its recent invalidation is likely to have a significant impact on all businesses which relied on it. Data transfers to the US may now require lengthy legal and compliance checks at great additional cost. Failing to take these steps may result in a breach of the DPA, and with it the potential for heavy fines and sanctions.
The uncertainty surrounding the fallout of Safe Harbour’s fall from grace is further compounded by the imminent General Data Protection Regulation, an EU initiative designed to unify data protection within the EU by 2019.
The Commission and most data protection authorities across Europe have acknowledged that it will take time for businesses to resolve the issue.
Despite the Information Commissioners Office’s (ICO) advice not to rush into alternative solutions, this shouldn't stop companies from taking proactive steps. When it comes to data protection and compliance, prevention is always preferable to cure. A good first step is to begin mapping out data flows from your business, and identify what protection you and any third party suppliers you deal with have in place.
Although we do not yet know what will replace Safe Harbour, what we do know is that day-to-day business will be impacted. Ultimately, providing services and transferring data between the EU and US will become a regulatory minefield, with reputation consequences for companies who get it wrong. Until a viable universal alternative to Safe Harbour is put in place, prepare for some stormy seas ahead.Receive our monthly newsletter