By Tim Hyman, Oct 22 2015 07:41PM
The EU Advisory team 'Article 29 Working Party' made a press release on Fri 16th October essentially warning businesses that simply ignoring the invalidity of the previously relied on Safe Harbour will not be acceptable.
They use strong language (and even bold to emphasise) to state "if by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions which may include coordinated enforcement actions."
In a previous blog 'Safe Harbour under water' I commented that law firms (although this applies to any firm transferring data to the US) should at the very least do the following:
1 Know where your data is, what type of data it is and who has access
2 Implement Information Security best practice
3 Have a plan B (now that Safe Harbour cannot be relied upon)
It now seems that whilst these actions should be seen as common sense and something any business should be doing in any case, they may not on their own be enough post January.
A brave (and some might say foolhardy) firm can of course interpret the Working Party statement as permission to 'keep calm and carry on' taking no action until January but this would be a huge risk as introducing any process change will be time consuming. It is also likely that the EU Data Protection authorities will be looking for a few high profile examples post deadline.
At a bare minimum it is clear that all businesses need to understand if and how this might affect them. An excellent place to start and something that all businesses should do in any case is complete an Information Asset Register to record where there data is, the type of data it is, whether it is being transferred out of the EU, the importance to the business it has and who has access to it. This is relatively straightforward but can be time consuming although well worth the effort. A simple but useful template is available here
General legal opinion is that whilst it is still likely a new data transfer agreement will be formulated, in its absence and in case of delays the 'model contract clause' is the acceptable and legal alternative.
What is a model contract clause?
Essentially it is a contracted agreement between two parties that use of which will ensure the 8 principles of data protection compliance. There are two types of model contract clauses:
a) controller to controller - eg transferring personal data from one company to another company, which will then use it for its own purposes.
b) controller to processor - eg transferring data outside of the EU to a company that provides you with IT services or runs a call centre for you.
A very helpful and detailed guide to model contract clauses is provided by the Information Commissioners Office which you can get here
I suspect there is more to come on this particular topic and I personally still expect a Safe Harbour 2.0 to appear before too long but in the meantime know your data, know your processes and document them.