The Safe Harbour ruling means changes for all!!
The European Court of Justice has ruled that the Safe Harbour agreement which allows transatlantic companies to transfer data between Europe and the United States is invalid.
Until now, if a company wanted to transfer data outside the European Union (EU), it needed to comply with Article 25 of the EU data protective directive, which states that the transfer can only occur if ‘adequate protections’ have been established which protect access to the transferred data. The Safe Harbour agreement, originally issued in 2000, gave companies an easy way to transfer data, without having to comply with the different government rulings for data protection that existed within Europe.
The Safe Harbour ruling has been overturned following a case involving Facebook and the transfer of its back-up data between the EU and the US. The court decided that the ability of the National Security Agency (NSA) to access the transferred data contradicted the ‘adequate protections’ clause.
How Are You Affected?
This has significant implications for both the design and governance of IT systems and the location of any data stored on them.
While the companies involved will now draw up and sign what are referred to as ‘model contract clauses’, in order to satisfy the data protection directive, this will take time, and it is questionable as to how effectively these new clauses can be both implemented and enforced. In the meantime, sensitive EU data cannot now be transferred to the US without obtaining the voluntary consent of the individuals concerned. In practice this is unlikely to be granted, has wider implications in terms of employment law and means that the only practical solution is to move all the data stored in the US to the EU.
What About Your Data
All of the data stored on the systems provided by the Nasstar plc group of companies (e-know.net, Nasstar (UK), Kamanchi and VESK) is stored in UK based data centres, and is therefore unaffected by this ruling. Whilst VESK are opening a data centre in the US, it will not be used to store any EU data, and information stored in VESK’s data centre in Singapore is unaffected by this ruling.
If you are using Nasstar plc group IT systems to access third party products that currently store their data outside of the group, this data could be an issue; applications that are most likely to be affected are Human Resources, collaboration tools and social media applications. We would advise that the nominated Data Controller in your office consults with the necessary companies to ensure that any sensitive data is not stored or backed up to the US. If so, it’s more than likely that the data will need to be moved.
At Nasstar plc, we recognise that this could be an arduous task, and if you would like help or assistance in establishing whether you are affected by the ruling and how to rectify the situation, please contact us – we can utilise the services of VESK for Legal to assist.