Safe Harbor ruling: The lowdown on sharing data with your US counterparts

In October of last year, the European Court of Justice made a significant decision, one that will have affected thousands of businesses without them even being aware.

The ECJ declared that the Safe Harbor provisions, which for over a decade were in place to allow customer data to be transferred between the EU and the US, were no longer valid. One of the key reasons for this decision was the significant access that US intelligence agencies had to data that had been transferred under the provisions - access that directly contradicted the European data protection directive.

Until now, Safe Harbor allowed thousands of companies to provide EU-level levels of data protection within the US and thus have permission to transfer customer data out of the EU jurisdiction and into the US. The court did not allow any period of grace, so many US companies holding data on European citizens are now breaching the directive.

Safe Harbor was also vital to UK businesses which held customer data in the US. And while only a few thousand companies actively and directly utilised the provisions, by self-certifying their data protection levels, in reality almost all businesses have been affected by this ruling.

A UK business holding customer data immediately becomes classified as a data controller, and is bound by the EU data protection directive, and the 1998 UK Data Protection Act, overseen here by the ICO - the Information Commissioner’s Office. A data controller needs to abide by many rules, such as processing the data fairly and lawfully, and ensuring both technology and processes are put in place to avoid any kind of data breach or loss.

Most businesses, as they start growing, will find themselves using more and more technology providers to optimise and accelerate their growth. The software-as-a-service industry has arisen to cater for just about every demand that a business has, and applications exist to power everything from marketing to financial management.

When a business takes on a technology provider, they often find themselves using that technology to process and act on their customer data. For example, when you relate this to marketing terms, the most exciting opportunity for retailers right now is improving customer experience through personalisation. So a retail business might decide to do customer lifecycle marketing - a framework which lets them communicate with each customer in a personalised way, based on the various interactions that they have had with them. To do this, they would utilise a technology that would connect transactional data with on-site interaction behaviour, and link it all to a specific profile - all so that the consumer can then be targeted with personalised messages.

It’s vital that the retailer carefully assesses the processes the technology provider uses to handle the customer data.

In this scenario, the technology provider is merely a data processor. The retailer remains the owner of that customer data - the data controller - and is ultimately responsible for handling it in line with both the EU and UK regulations. The technology provider would have no rights to that data, but would also face no specific responsibility should anything incorrect be done to it.

So, in a relationship of this nature, it’s vital that the retailer carefully assesses the processes the technology provider uses to handle the customer data - which internal controls they have to ensure protection against both human error and purposeful leaks, which technology systems they use to protect the data against hacking, and how they ensure that the retailer would abide by the regulations.

Untested

The above is necessary even if the technology provider is EU-based. But the majority of such technology providers are US-based companies. While the UK now has a thriving technology sector, most advances still come from the US, and businesses wanting to use the latest technologies would end up using a US provider. Most of these US providers to have the relevant data security processes in place, and until now have been relying on the Safe Harbor provisions to ensure that their clients, those UK and EU businesses, do not breach any regulations.

It is these relationships that have been significantly affected by this ruling. Most of these technology companies are still US-based, have their entire technical infrastructure in the US, and therefore transfer all customer data into the jurisdiction as soon as they are used. Without the Safe Harbor ruling, UK-based companies using their services would find themselves in breach of regulations - and it would be those businesses themselves which would be at risk, not the technology providers.

Given the scale of the problem, the European Commission is negotiating with the US government to implement a replacement to Safe Harbor. But as things stand, the majority of companies who previously relied on it to comply with the EU regulations now find themselves out of compliance. And the fines for being in breach are not small - the potential amount goes as high as up to 5% of annual worldwide turnover.

The European Commission is negotiating with the US government to implement a replacement to Safe Harbor.

The current solution being put in place by US companies is the use of European Union Model Clauses - standardised clauses between a service provider and a customer to ensure that any personal data being transferred to the US will be in compliance with the EU Data Protection Directive. Larger companies, from Microsoft to Salesforce, have immediately updated their contracts to include these. What this means in reality, however, remains untested, and it is only a matter of time before someone challenges these in the same way as they have just successfully challenged Safe Harbor.

So for a UK-based business, the only way to truly avoid exposing themselves to risk is to use a European technology provider, and validate that their entire infrastructure, whether they are using cloud data centres or their own servers, is based in the EU. By ensuring that personal data isn’t transferred out of the EU, UK businesses can be certain that they are not affected by the removal of the Safe Harbor provisions, and don’t have to spend time and money researching alternatives and ensuring they are still protected.