Shoosmiths partner Anastasia Fowle considers the changes in data sharing arrangements between Europe and the US
The European Court of Justice ruled last October that the data sharing framework between the EU and US, referred to as Safe Harbour, is no longer valid.
On 2 February 2016, the EU and US authorities agreed in principle on a "new" Safe Harbour arrangement, known as the Privacy Shield.
Principle 8 of the Data Protection Act (DPA) 1998 requires that personal data must not be transferred outside the EEA without adequate protection for the rights and freedoms of individuals. The Safe Harbour scheme was designed to ensure that the transfer of EU citizens’ data to the US was adequately protected in line with Principle 8.
With a major shake-up of EU data protection legislation expected in 2018, which means businesses could soon face fines of up to 4% of their global annual turnover for a breach, the change to Safe Harbour is the start of a greater transformation in the complex world of data protection compliance that leasing and financing businesses simply can’t afford to ignore.
Safe harbour – not so safe
The Safe Harbour framework worked by allowing US companies to self-certify their adherence to a number of principles of compliance with EU data protection legislation. The scheme meant that information could be easily and routinely transferred to US companies who were Safe Harbour registered, without the need to obtain consent or put in place other methods to comply with Principle 8.
In the wake of revelations of mass surveillance operations by the National Security Agency (NSA), Safe Harbour came under the microscope of the European Court of Justice who ruled the Safe Harbour framework to be invalid as it doesn’t adequately protect the privacy rights of EU consumers.
The court’s decision stemmed from a complaint made to the Irish Data Protection Commissioner that US registered companies operating in Europe were being forced to make the personal data stored on their US servers (including that of EU citizens) available to US intelligence services. The complainant was concerned that European citizens’ fundamental privacy and data protection rights were at risk once their data was transferred to, processed, and stored in the US.
While Facebook, the company involved in the matter, had signed up to the Safe Harbour programme, the company’s US-based structure made it nonetheless vulnerable to the NSA’s mass surveillance. The Safe Harbour scheme was unable to protect EU citizens’ data from increasingly invasive US surveillance once the data has been transferred stateside. EU privacy laws were being overridden by US national security, public interest and law enforcement requirements once the data is transferred to the US.
With many leasing and financing businesses using the Safe Harbour scheme to transfer data to the US across subsidiaries, to partner companies or as part of their IT infrastructure, the industry needs to ensure that it is protecting personal data relating to customers and employees when it leaves the UK.
A state of uncertainty
Until the Safe Harbour replacement comes into force, the Information Commissioner’s Office has encouraged companies engaged in inter EU-US transfers to consider their other options in order to comply with Principle 8. In particular, we suggest that leasing and financing businesses should consider:
Does the information really need to be shared with the US entity? Is there another method of achieving the same objective?
Can the data be anonymised without losing its usefulness? If so, the DPA will not apply (it only applies to data which can identify a living individual, either itself or in conjunction with other data in the organisations’ possession). Effective anonymisation can be difficult to achieve in practice.
Can model contract clauses be put in place? These clauses have been approved by the EU Commission as ensuring adequate protection for the rights of individuals and can be used for intra-group transfers or transfers to other businesses.
If the transfer is intra-group, can you apply for approval for binding corporate rules? The application process can be cumbersome, but the result is better flexibility for companies with complex and ever-changing group structures.
If businesses choose not to comply with the above, they can evaluate their compliance by way of "self-assessed adequacy". This involves consideration of a wide range of factors. The fact that a US company has been Safe Harbour registered and therefore adheres to the principles agreed with the US in relation to the protection of the rights of EU citizens may be one factor to consider.
The court ruled that the Safe Harbour scheme is inadequate, but this does not mean that all US registered companies are inadequately protecting personal data in their possession. That said, self-assessed adequacy is a risky option for many as it does not automatically mean compliance with Principle 8.
One method which could be used to evaluate the risks in this context would be to conduct a Privacy Impact Assessment, allowing the business to weigh up the potential hazards of sharing the data for the rights of individuals, against the legitimate business reasons and benefits of doing so. Businesses must have visibility into exactly what data is moving outside of their organisation and audit data transfer processes to ensure that they are putting the privacy of their customers first.
Furthermore, the corporate mindset must change to build data protection compliance into the planning of projects, rather than as an afterthought.
Leasing and financing businesses must not forget their other obligations under the Act. Key among these is ensuring the suitability and robustness of security methods used to protect personal data processed by the organisation. Encryption is an effective way to achieve data security and may be one way to safeguard data being transferred between the EU and US, as it makes the data unreadable without access to a secret key or password that enables decryption.
A new Privacy Shield?
There have been ongoing discussions between the EU and the US about replacing the Safe Harbour scheme since the October decision. On 2 February, a new "Privacy Shield" replacement was announced and aims to provide a workable solution – but is not likely to be in force for a few months. While this has been welcomed by many, there’s much uncertainty around whether or not Privacy Shield will be any better than Safe Harbour.
The issue of transfers of personal data from the EU to the US continues to be in the spotlight.
Until the Privacy Shield framework is finalised, leasing and financing businesses should take additional measures to protect themselves and their customers. <