How safe is your data, now that Safe Harbour is invalid?on 10 November 2015
Fifteen years ago, the ‘Safe Harbour’ guidelines were defined by the United States (US) to give some safeguards for data belonging to European Union (EU) citizens held in the US. The safeguards were intended to provide a similar level of security to those currently enjoyed within the EU.
For many years, organisations have been storing their data outside of the EU, particularly in the US. Unfortunately, the US has its own laws about how data can be accessed and used. In theory, this means that the US government could access your data and use it for its own ends.
On October 6th 2015, the European Court of Justice issued a ruling saying that the protection offered by the US ‘Safe Harbour’ guidelines is not adequate.
‘Safe Harbour’ has the following problems:
1. ‘Safe Harbour’ is voluntary – organisations can choose whether they comply or not. In practice most do, but if they don’t, they may still use your data in ways you don’t want (or know).
2. Organisations self-certify with the US department of commerce every 12 months and can withdraw at any time, thus leaving your data vulnerable to misuse if they do.
3. Organisations self-regulate so are not assessed for compliance. You are relying on those organisations to interpret and implement the guidelines without anyone checking how they do, or even if they do it.
What this ruling means
This ruling now gives EU regulators the right to investigate any US organisation they don’t believe have adequate protection for their EU client’s personal data about individuals.
Although, ‘Safe Harbour’ itself has been under discussion for 2 years, an acceptable agreement to overcome the inadequacies has yet to be reached. In the meantime, the US government, among others, is putting new rules in place about access by their authorities to your data, if it is held in US. A new EU Privacy regulation is expected in 2016, which will further complicate the position.
Should I be worried?
If any of your data resides in the US, your level of risk will depend on:
- How much personal data you hold.
- How sensitive the rest of your data is e.g. politically sensitive, commercially sensitive, personally sensitive etc.
- How far you trust your current data storage organisation.
- What sort of agreement you currently have with them with regards to privacy, encryption etc.
Those most at risk are smaller organisations holding personal data about individuals that have the least ability to negotiate moving their data from a US server to an EU server.
What should I do next?
In the meantime you would be well advised to review your position, both internally and externally:
- Check with any solution providers that you currently use for data storage e.g. email, collaboration tools, CRM, cloud based backups, social media etc.
- Where do your solution providers physically hold your data now?
- How quickly can you move your personal data about individuals to an EU based provider?
- What would be the consequence of your data falling into the wrong hands?
- What agreement do you currently have with your solutions providers about where the data is held and what do they do to ensure the security of that data e.g. encryption, access etc.
- If it is in the US, can your solution provider easily move your data to the EU?
- Where can you find a solution provider that holds data in the UK?
Glasscubes is a UK based collaboration tool that supports a full range of cloud based options. Find out more about how they can help you manage your data safely and effectively by calling +44 (0)20 3274 2310.