Key data protection development – Safe harbour blown away
What is ‘safe harbour’?
In a nutshell, the Data Protection Act says that you can’t send data overseas unless that data is adequately protected. The Safe Harbour system is the main way of satisfying this requirement and involves U.S companies that handle data relating to EU citizens signing up and self-certifying that they protect that data to a standard the EU is happy with.
Why is it so important?
It’s not just organisations whose business is data that send data overseas. The headlines will concentrate on U.S companies like Facebook but a lot of UK businesses outsource aspects of their administration such as payroll and customer management systems to cloud-based companies whose servers are situated in the U.S. The vast majority of them will rely on safe harbour provisions to comply with the Act. There are alternative procedures available but they are cumbersome and often expensive.
The European Court has said that, because the U.S security agencies can apparently snoop on data held on servers in the U.S at will, the Safe Harbour system doesn’t actually protect data well enough (see here). Basically, it may no longer be possible to rely on it as a way of complying with the Data Protection Act.
What does this mean to businesses?
There is no need to panic – even though the judgment is very clear it is up to the data protection authorities in each country to decide what to do next. It is unlikely that they will immediately demand that businesses change their data protection arrangements overnight – the Information Commissioner here in the UK has indicated he will be adopting a steady approach.
However, things will change and the likely effect is that businesses will have to do much more to make sure they comply with the Act.