Shoosmiths partner Anastasia Fowle considers the changes in data sharing arrangements between Europe and the US

The European Court of Justice ruled last October that the data sharing framework between the EU and US, referred to as Safe Harbour, is no longer valid.

On 2 February 2016, the EU and US authorities agreed in principle on a "new" Safe Harbour arrangement, known as the Privacy Shield.

Principle 8 of the Data Protection Act (DPA) 1998 requires that personal data must not be transferred outside the EEA without adequate protection for the rights and freedoms of individuals. The Safe Harbour scheme was designed to ensure that the transfer of EU citizens’ data to the US was adequately protected in line with Principle 8.

With a major shake-up of EU data protection legislation expected in 2018, which means businesses could soon face fines of up to 4% of their global annual turnover for a breach, the change to Safe Harbour is the start of a greater transformation in the complex world of data protection compliance that leasing and financing businesses simply can’t afford to ignore.

Safe harbour – not so safe

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Leasing Life.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The Safe Harbour framework worked by allowing US companies to self-certify their adherence to a number of principles of compliance with EU data protection legislation. The scheme meant that information could be easily and routinely transferred to US companies who were Safe Harbour registered, without the need to obtain consent or put in place other methods to comply with Principle 8.
In the wake of revelations of mass surveillance operations by the National Security Agency (NSA), Safe Harbour came under the microscope of the European Court of Justice who ruled the Safe Harbour framework to be invalid as it doesn’t adequately protect the privacy rights of EU consumers.

The court’s decision stemmed from a complaint made to the Irish Data Protection Commissioner that US registered companies operating in Europe were being forced to make the personal data stored on their US servers (including that of EU citizens) available to US intelligence services. The complainant was concerned that European citizens’ fundamental privacy and data protection rights were at risk once their data was transferred to, processed, and stored in the US.

While Facebook, the company involved in the matter, had signed up to the Safe Harbour programme, the company’s US-based structure made it nonetheless vulnerable to the NSA’s mass surveillance. The Safe Harbour scheme was unable to protect EU citizens’ data from increasingly invasive US surveillance once the data has been transferred stateside. EU privacy laws were being overridden by US national security, public interest and law enforcement requirements once the data is transferred to the US.
With many leasing and financing businesses using the Safe Harbour scheme to transfer data to the US across subsidiaries, to partner companies or as part of their IT infrastructure, the industry needs to ensure that it is protecting personal data relating to customers and employees when it leaves the UK.

A state of uncertainty

Until the Safe Harbour replacement comes into force, the Information Commissioner’s Office has encouraged companies engaged in inter EU-US transfers to consider their other options in order to comply with Principle 8. In particular, we suggest that leasing and financing businesses should consider:

Does the information really need to be shared with the US entity? Is there another method of achieving the same objective?
Can the data be anonymised without losing its usefulness? If so, the DPA will not apply (it only applies to data which can identify a living individual, either itself or in conjunction with other data in the organisations’ possession). Effective anonymisation can be difficult to achieve in practice.

Can model contract clauses be put in place? These clauses have been approved by the EU Commission as ensuring adequate protection for the rights of individuals and can be used for intra-group transfers or transfers to other businesses.

If the transfer is intra-group, can you apply for approval for binding corporate rules? The application process can be cumbersome, but the result is better flexibility for companies with complex and ever-changing group structures.

If businesses choose not to comply with the above, they can evaluate their compliance by way of "self-assessed adequacy". This involves consideration of a wide range of factors. The fact that a US company has been Safe Harbour registered and therefore adheres to the principles agreed with the US in relation to the protection of the rights of EU citizens may be one factor to consider.

The court ruled that the Safe Harbour scheme is inadequate, but this does not mean that all US registered companies are inadequately protecting personal data in their possession. That said, self-assessed adequacy is a risky option for many as it does not automatically mean compliance with Principle 8.

One method which could be used to evaluate the risks in this context would be to conduct a Privacy Impact Assessment, allowing the business to weigh up the potential hazards of sharing the data for the rights of individuals, against the legitimate business reasons and benefits of doing so. Businesses must have visibility into exactly what data is moving outside of their organisation and audit data transfer processes to ensure that they are putting the privacy of their customers first.

Furthermore, the corporate mindset must change to build data protection compliance into the planning of projects, rather than as an afterthought.

Leasing and financing businesses must not forget their other obligations under the Act. Key among these is ensuring the suitability and robustness of security methods used to protect personal data processed by the organisation. Encryption is an effective way to achieve data security and may be one way to safeguard data being transferred between the EU and US, as it makes the data unreadable without access to a secret key or password that enables decryption.

A new Privacy Shield?

There have been ongoing discussions between the EU and the US about replacing the Safe Harbour scheme since the October decision. On 2 February, a new "Privacy Shield" replacement was announced and aims to provide a workable solution – but is not likely to be in force for a few months. While this has been welcomed by many, there’s much uncertainty around whether or not Privacy Shield will be any better than Safe Harbour.

The issue of transfers of personal data from the EU to the US continues to be in the spotlight.
Until the Privacy Shield framework is finalised, leasing and financing businesses should take additional measures to protect themselves and their customers. <