Affordable | Achievable | Relevant

By Tim Hyman, Oct 22 2015 07:41PM

The EU Advisory team 'Article 29 Working Party' made a press release on Fri 16th October essentially warning businesses that simply ignoring the invalidity of the previously relied on Safe Harbour will not be acceptable.

They use strong language (and even bold to emphasise) to state "if by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions which may include coordinated enforcement actions."

In a previous blog 'Safe Harbour under water' I commented that law firms (although this applies to any firm transferring data to the US) should at the very least do the following:

1 Know where your data is, what type of data it is and who has access

2 Implement Information Security best practice

3 Have a plan B (now that Safe Harbour cannot be relied upon)

It now seems that whilst these actions should be seen as common sense and something any business should be doing in any case, they may not on their own be enough post January.

A brave (and some might say foolhardy) firm can of course interpret the Working Party statement as permission to 'keep calm and carry on' taking no action u‎ntil January but this would be a huge risk as introducing any process change will be time consuming. It is also likely that the EU Data Protection authorities will be looking for a few high profile examples post deadline.

At a bare minimum it is clear that all businesses need to understand if and how this might affect them. An excellent place to start and something that all businesses should do in any case is complete an Information Asset Register to record where there data is, the type of data it is, whether it is being transferred out of the EU, the importance to the business it has and who has access to it. This is relatively straightforward but can be time consuming although well worth the effort. A simple but useful template is available here

General legal opinion is that whilst it is still likely a new data transfer agreement ‎will be formulated, in its absence and in case of delays the 'model contract clause' is the acceptable and legal alternative.

What is a model contract clause?

Essentially it is a contracted agreement between two parties that use of which will ensure the 8 principles of data protection compliance. There are two types of model contract clauses:

a) controller to controller - eg transferring personal data from one company to another company, which will then use it for its own purposes.

b) controller to processor - eg transferring data outside of the EU to a company that provides you with IT services or runs a call centre for you.

A very helpful and detailed guide to model contract clauses is provided by the Information Commissioners Office which you can get here

I suspect there is more to come on this particular topic and I personally still expect a Safe Harbour 2.0 to appear before too long but in the meantime know your data, know your processes and document them.

By guest, Oct 22 2015 12:35PM

The European Court of Justice (ECJ) has ruled that the Safe Harbour framework used by the US and EU is invalid in a decision that could have major implications for firms that process personal data and move it between geographies.

There are therefore in my opinion 3 ‘must dos’ for law firms;

1 Understand your firm’s data storage and transfer processes

Do you know where and what our data is? Ignorance is certainly NOT bliss

2 Implement Information Security best practice

Clients have a right to know that you have at least applied best endeavors to keep their data safe.

3 Have a plan B

With the legal community predicting a string of litigation cases, ensure you have alternatives available to Safe Harbour protection.

What is Safe Harbour?

The Safe Harbour rules were introduced in 2000 by the European Commission. It was essentially a framework of seven rules designed to make it simple for US companies to transfer data on EU citizens to the US avoiding expensive legal challenge.

Used by many firms including Facebook and Microsoft, Safe Harbour approval required protocols in place such as informing users of data collection, ensuring its security and offering the ability to ‘opt out’ when using a service.

Why the EC decision?

We can blame the NSA for that. Following Edward Snowden’s leaks, the ECJ ruled that Safe Harbour is not adequate as it showed that firms operating under Safe Harbour could not ensure that data was protected primarily due to US security services ability to access and use it for their own purposes. Another point made was that EU citizens had no recourse to legal justice under the agreement, thereby infringing their rights.

Who is affected?

This is not always obvious but it is certainly any firm that transfers data relating to EU citizens to the US. If in doubt you should seek legal advice as to whether your current practices are now at risk but here are a few examples of where law firms may want to ask a few questions;

CRM systems

Client ‘opt in’ permission can probably be sought using the letter of engagement or terms of business but what about prospect data? Do you keep data in a CRM system? Is that system or any part of it hosted in the US? Do you share that data with US colleagues? Do you record how you obtained that data? Did you seek explicit permission to share the data?

Cloud services

Do you use any cloud based systems to store personal data such as HR, Document Management or Marketing systems? Are any of these services US hosted? If not can they guarantee they do not back up that data to the US?

Centralised Admin

Do you have any central administration departments such as HR, Accounts, Marketing or Payroll? Is data collected in the EU and transferred to the US?

What now?

There will no doubt be a ‘wait and see’ period as the European Commission said it would issue "clear guidance" in the coming weeks to prevent local data authorities issuing conflicting rulings. Whilst there is no need for panic, it is important for firms to get ahead of this by preparing and planning for alternative arrangements.

Going back to the 3 ‘must dos’ in a little more detail….

1 Understand your firm’s data storage and transfer processes

It is essential (and simply good practice) that you know where all of your data resides. It is also becoming more prudent to understand the type of data you hold, how (if) it is protected and who has access. In terms of transfer, it is a very valuable exercise to map out and document any transactional data movement that occurs within the business. Is all or some of the data moving? Is it encrypted in transit? Is it the original data or are copies being promulgated across your enterprise?

2 Implement Information Security best practice

Even though you may feel confident that data is not being transferred to the US, it is inevitable that changes to Safe Harbour and any other headlines relating to data security will lead to clients increasingly scrutinising your information security standards, possibly even demanding evidence of best practice. Consider implementing the excellent ISO 27001 standard or to at least start down that road take a look at the less complex more affordable ProSec2 framework covered in more detail here

3 have a plan B

Whatever happens in the next few months is likely to cause considerable business disruption for those who were operating under Safe Harbour rules. Legal consensus is that explicit as opposed to implicit data usage consent is always going to help and one alternative is that the two bodies involved must draw up and sign "model contract clauses", which set out the US parties privacy obligations. It has even been suggested that it may be necessary to re-architect the data storage infrastructure by relocating servers although that would seem a little extreme.

The future?

The US and EU have in fact been negotiating to update the Safe Harbour pact for nearly two years including an ‘umbrella’ agreement that sets out protocols for data sharing between US and EU government agencies and with huge corporations such as Google, Facebook and Microsoft likely to apply pressure it wont be long before we see Safe Harbour 2.0.

In the meantime however, the EC decision is likely to be just the first in a series of high-profile data protection and privacy developments in the next few months that will have an impact on business.

The EU is on the verge of introducing a new data protection law that will radically overhaul existing measures, notably by requiring firms gathering data on EU citizens to adhere to EU laws, regardless of where they operate. In addition considerably tougher penalties are on the way including a staggering proposal of a fine of 2% of global revenue for a negligent breach.

Inevitably the end of Safe Harbour means there are more questions than answers – just make sure you are asking the questions. There are never any guarantees with data security but you owe it your clients to be informed and at an absolute minimum apply Information Security best endeavours.

Welcome to my blog


A few general thoughts, hints tips, best practices and opinion relating to Information Security