Data held on Safe Harbour ruled invalid by EU Court of Justice – what companies need to do
In a landmark ruling last week, The European Court of Justice ruled the Safe Harbour agreement which allows data from UK companies to be transferred to and stored in the US was last week declared invalid. This ruling that will have far-reaching repercussions for companies using American based cloud providers to store data.
In a response to the ruling the Information Commissioner’s Office (ICO). David Smith said:
“This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbour. The judgment means that businesses that use Safe Harbour will need to review how they ensure that data transferred to the US is transferred in line with the law.”
Many companies store personal data on shared servers such as OneDrive, LiveDrive, Dropbox etc. which whilst they are all US companies also have a European presence. However, under this ruling this may leave your data without adequate protection or failing to comply with the 8 Principles of the UK Data Protection Act.
This could potentially impact global trade or the day to day running as organisations would likely be required to re-structure business and data management functions, outsourcing arrangements, business partnerships and possible re-locating of IT assets to ensure processing of personal information does not take place inside the US.
How to overcome the problem?
Businesses will now need to carryout technical review of how confidential data is treated in your company to ensure this ruling does not affect your regulatory status or security of your confidential data. With the new ruling it is vital now more than ever that you have a complete understanding of where your company confidential data is stored; is it on servers within the EU or US?
The 3 key points to consider are:
- Verify where the confidential data is stored?
- Is your data encrypted at ‘Source’ or by a 3rd party provider?
- Does your existing data storage arrangements contravene UK data laws now the Safe Harbour has been ruled invalid?
Undertaking a data protection health check on the treatment of data in your business will assist to identify any potential risks of non-compliance or vulnerabilities you may have in relation to the recent Safe Harbour invalidation ruling.
This article does not constitute as legal advice and if you have any concerns regarding data protection then please contact us.