At the beginning of October, it was determined by the European Court of Justice that the Safe Harbor agreement was no longer adequate for the transferral of data between countries in Europe and countries outside of it. Jeroen Renard, an expert on privacy legislation, foresees many problems for ICT companies if they do not take measures in time and wants to warn them about this.
The Safe Harbor agreement was concluded between the European Commission and the United States in 2000. The agreement allowed European organisations to exchange personal data with American companies that adhered to the principles set out in the Safe Harbor Act. However, due in part to the USA Patriot Act, which came into effect in 2001 and which allowed the NSA and FBI to demand information from American companies without resorting to legal procedures, the Safe Harbor Act became debatable.
On 6 October 2015, the European Court of Justice determined that the act was no longer adequate to guarantee the secure transferral of data. Other measures will therefore need to be implemented by organisations wanting to send data to countries outside Europe, Jeroen Renard explains. As CSO at the Odin Groep, Renard is responsible for implementing the necessary measures required under the privacy legislation within the configuration of the cloud environments and services for the thousands of organisations affiliated to the company as clients.
In principle, Renard tells us, the possibility for national supervisors to conduct individual investigations is not per se contrary to the priority expressed by the European Commission for a Digital Single Market. 'However, additional emphasis is placed on the importance of a company-wide control framework and a real partnership with processors of company-specific personal data such as cloud service providers.'
Renard explains that the decision of the European Court almost immediately resulted in a ban in the German state of Sleeswijk-Holstein. Although he doesn't think things will move as quickly in the Netherlands, he warns that Dutch organisations will need to get started immediately on the implementation of measures. 'Because', as he explains, 'not only does it require considerable effort to implement other methods to facilitate the exchange of personal data with countries outside the EU, but the Data Leaks (Reporting Obligation) Act will also soon come into force.'
Three methods for sharing data
He explains that there used to be four methods in all which allowed organisations to share data with countries not covered by European legislation. Firstly, there was the option of joining the Safe Harbor agreement, which has now been abolished. This leaves three methods available.
'An organisation can comply with the rules if it requests permission from each of the individuals whose data it wishes to transfer outside of the EU. But in this case, you are dealing with a tremendous amount of data per person and must take into consideration not only the data of customers but also that of suppliers and employees. It's virtually an impossible task. And what if someone refuses to grant permission?'
A second method is to use model contracts. 'Although there is no longer a licensing requirement to do so, there is still the disadvantage of having to deal with a web of contracts with sub-processors.
And finally, Binding Corporate Rules can be established within international organisations. 'These make it possible for information to be passed on around the world within these organisations, but drafting these rules is a time-consuming job. There is still no standard model available as yet and, as far as we know, the Dutch Data Protection Authority (CBP) has not yet approved any of the sets of rules. However, requests have already been submitted to this authority for processing.'
The Data Leaks (Reporting Obligation) Act requires us to move quickly
Renard stresses that, although this will not yet be made mandatory overnight, we do need to press on. 'The Data Leaks (Reporting Obligation) Act will come into force on 1 January 2016. Under this act, a 'serious' data leak must be reported to the Dutch Data Protection Authority and all leaks within an organisation are required to be registered. Non-compliance with the requirements of the Personal Data Protection Act is also included in the definition of data leaks and this is then the case if personal data is passed on to the United States under the Safe Harbor arrangement despite the decision of the European Court of Justice. This can result in significant fines being imposed by the authority.'
Renard wonders whether organisations are truly aware of the pressing need to start working on the issues put forward by the EU in the area of privacy protection. 'A data leak can quickly appear. These all have to be registered from 1 January 2016 onwards and – in certain cases – be reported to the authority and, if necessary, the individuals involved.
Europe and the United States have now reached an agreement in principle regarding the storage of European user data in the US. This agreement replaces Safe Harbor that was declared invalid by the European Court of Justice at the beginning of October.