Are you a safe harbor on these data shores?
What Edward Snowden has to do with arts marketing
If you’re a user of Survey Monkey or Mail Chimp you might have noticed these services flagging a change to their terms and conditions recently. It all has to do with the legal frameworks for data transfer when the data is travelling outside of Europe. You should take a look at the small print to ensure your data is compliant.
This has everything to do with the 8th principle of data protection. Here’s a refresher if it has slipped your mind –
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
For instance, if you are using a tool that stores data in the cloud (like Dropbox or Google Drive but also cloud-based CRM systems and cloud-based marketing tools like Mail Chimp) the data you use on these systems should either:
- Stay in the EEA, or
- Go outside the EEA as long as where it is stored lives up to European standards of data protection and human rights.
Companies that store data in the cloud have server farms all over the world. Is the data you’re holding better travelled than you are? Very possibly. But to be fair, the cold clean rooms that house server farms aren’t the best tourist destinations anyway.
What happened that kicked off this chain of events? Travel back in time to October 2015. The scene: a European court. The judgement: no more Safe Harbor.
So what was Safe Harbor? It was an agreement that allowed European data to be held on servers in the United States (that’s why it’s spelled the American way with no ‘u’) and was nothing at all maritime, despite the name. It was a system that businesses opted into assuring the privacy of data storage met the standard required by the 8th principle of data protection. Meaning, people like you working in European businesses that use these cloud-based tools to store and transfer personal data weren’t in breach of the Data Protection Act.
Why was it overturned? This is where Edward Snowden comes in. Remember all those stories about how US government agencies were using digital data to snoop on private correspondence like emails and texts? The court overturned Safe Harbor because:
- US intelligence can currently access the data, in the opinion of the court, beyond what is required for national security.
- People outside the USA should be (but currently aren’t) able to seek legal remedy if their personal data has been misused or not protected.
What should you do? In the immortal words of Douglas Adams – Don’t Panic. The Information Commissioner’s Office (ICO) have published some official guidance along with a couple of blog posts – one when the initial ruling took place and the second on the developing EU-US Privacy Shield – to give you the official word on what you need to know. The new privacy shield is still in negotiation, but eventually it is supposed to take the place of Safe Harbor.
In the interim, the ICO say we should all keep an eye on the ruling and be vigilant to the changes that could put your data at risk . The ICO have info on using contracts and corporate rules, in place of international agreements. However, ultimately the onus is on you to check the security of how and where your data is stored.
Which takes us back to where we started. While this is all happening, companies – like Survey Monkey and Mail Chimp – have taken the situation into their own hands. In the absence of the Safe Harbor agreement they’ve updated their Ts&Cs to fill the gap until the new Privacy Shield is agreed. Europe’s data protection regulators and the European Commission expect to make progress on this in the next few months. If you want to keep up with these changes as they happen, you can subscribe to the ICO‘s monthly newsletter.
Main image credit: Hitchhiker's Guide Brick Edition by Johnson Cameraface (CC BY-NC-SA 2.0)