Back in Summer 2014, I warned readers of DataIQ that the existing mechanism for data transfers between the European Union and the United States was barely fit for purpose. No less a warrior for individual privacy rights than Viviane Reding, architect of the forthcoming Data Protection Regulations, had said that, “we kicked the tyres [of Safe Harbour] and saw that repairs are needed.”
Before US regulators could haul the framework down to the garage, the Austrian law graduate Max Schrems took action of his own by suing Facebook. The social network relied on Safe Harbour agreements to ship data on European users across to its US base.
His victory at the European Court of Justice means this vehicle for moving personal information around is no longer roadworthy. The immediate impact is to make such EU-US data transfers unsafe, whether they are happening within an organisation’s own technical environment, through outsourced service providers or, especially, via cloud-based services.
If your company has a geographical footprint outside of the EU and relies on personal data for business-critical processes, here’s what you need to do:
Audit your data register - do you know where all the data you hold currently resides? Data registers are a core component of effective data governance, but they age rapidly. Auditing will identity at-risk locations, such as data hosting outside of the corporate firewall. Don’t have a data register? Your day just got tougher...
Review your need for data transfers - do those business processes require actual personal information to be moved, or could they operate using pseudonymised or masked data? The safest way to stay within EU data protection laws is to keep data within the EU.
Check your service contracts - most companies outsource some of their processes and data management has been a typical area for working with third-parties. Did the contract you entered specify where data should be kept or how data transfers should be managed? Safe Harbour agreements may have looked reassuring at the time, but now you need to know if they have actually been used to move data to the US.
Identify any cloud-based services you use - data is routinely moved around organisations using cloud-based services, while many business processes that use data now run on virtual systems. Are the data centres which support them inside the EU? If they are currently operating in the US under Safe Harbour, does the vendor have a plan to build European data centres?
Warn the board about your exposure - the results of the previous four actions are likely to be an enhanced risk. The board needs to know if it could be facing a similar challenge to the one Facebook just lost and be able to start planning on how to mitigate it.
It’s not often that headlines about a court case have a direct effect on how companies need to handle personal information. But if you thought the Google “Right to be Forgotten” case set an important precedent, this verdict on Facebook’s data transfers could have even bigger implications.