If your company is based in the European Union you will have found yourself thinking more and more about data and harbours. Every time you consider adopting a new app to manage your business, you will be asking if you can store your company’s information on this online service. This post offers a step-by-step guide to verifying that storing your company’s (or your customers’) personal data on that service will not breach the data export limitations of the EU Data Protection Directive.
The EU and US have differing legal approaches to data security. Put simply the EU regards it as a human right and the US treats it as a consumer protection issue. This mattered less to business until the “safe harbour” agreement under which US businesses were allowed to self certify their compliance with EU privacy laws was declared invalid by the European Court of Justice.
1. Is the subsidiary you’re contracting with in the US or EU?
You’ll need to check the Terms and Conditions of the service to find out. Note that you are not looking to establish where the headquarters of the vendor are, but rather where the subsidiary that you are contracting with is located (often referred to as the “Contracting party” or “Contracting entity”). For example, HubSpot is a US company but its terms state: “If you are located in Europe […], then you are contracting with HubSpot Ireland Limited and this Agreement is governed by the laws of the Republic of Ireland.”
2. If you are transacting with a non-EU entity
You need to verify that the vendor has put in place one of the mechanisms that enable transfers of personal data outside the EU. Safe Harbour used to be the most common one but after its demise the following are still considered valid:
a) Model clauses (also referred to as Model contracts): A standard contract provided by the EU, which specifies restrictions and safeguards on the use of personal data. This is now the most common way to facilitate cross border transfer. The model clauses will often not be included in the standard terms of the service, and will be offered as an addendum that you and the vendor will need to sign. For example, Amazon Web Services (AWS) offers a Data Processing Agreement that incorporates the model clauses, which customers need to sign and mail back to Amazon.
b) Binding Corporate Rules (BCRs) is an alternative that applies to transfers within a multinational corporate group. This is more cumbersome that the Model clauses and less common.
3. If you are transacting with an EU entity
You still need to check if, and under what protection, your data is exported from the EU. A common scenario is that an EU vendor is using a US data center, in effect exporting all its customers’ data to the US.
4. If the EU entity is storing all data within the EU
You are all set (unless you are German – see number 6 below).
5. If the EU entity is exporting some or all of its data outside the EU
You will need to verify that the vendor has put in place one of the mechanisms described in step 2 to facilitate the data export. For example, Workable is a UK company that is storing data in AWS in the US, and also provides partial access to this data to employees of its US subsidiary. We enable the former by having signed AWS’s Data Processing Agreement that incorporates the model clauses, and the latter by having the US subsidiary sign the model clauses with the UK entity. We also asked all our US employees to sign a proprietary information agreement (and will provide relevant training), which incorporates all the obligations that arise from the model clauses.
6. Are you a German company?
Gesundheit! There are some additional requirements for German companies. Section 11 of the Federal Data Protection Act (BDSG) mandates that you carefully select the vendor (“data processor”) and check the suitability of the technical and organizational measures it is taking to safeguard the security of the data. This means, in practice, two things:
- You need to sign a written Data Processing Agreement (DPA) with the vendor. The DPA will specify the collection, processing and use of the data, the technical and organizational measures to be taken by the processor and will authorize you to instruct the processor in all matters regarding the data subject to the DPA.
- You need to verify the controller’s compliance with the technical and organizational security measures undertaken in the DPA before any act of data processing begins and regularly thereafter. The results of such verification must be documented for a potential review by the authorities since a failure to comply with this requirement establishes an administrative offense subject to an administrative fine up to €50.000. Section 11 of the BDSG does not provide any specific method for such verification measures on behalf of the controller. Verification may be ensured by on-site inspections, external audits, significant certificates or by providing comprehensive questionnaires depending on the extent of the commissioned data processing, the sensitivity of the respective data, and the credibility of the processor.
Is this all I need to know to make sure that my data and that of my clients is safe?
Not quite. This post has only dealt with the legal requirements that need to be met, and more specifically about data export. But security is a much broader topic, which can, and should, be verified in a number of different ways. This is not within the scope of this post, but some ideas to help you start the conversation with your vendor:
- Do you have an ongoing or regularly scheduled process of security and penetration testing of your infrastructure by a third party?
- Do you offer an SLA which includes uptime guarantees? What is your historical uptime percentage? Do you have a DDoS mitigation infrastructure in place?
- Have your security and privacy processes and technology been accredited under a relevant industry standard (e.g. ISO 27001) or by a security vendor (e.g. TRUSTe)? Are they audited by a third party?
The vendor says that I can store my data with them because they comply with Safe Harbour. All good?
No. Safe Harbour has been declared invalid by the ECJ. The vendor must use alternative measures to comply with data protection, such as those outlined in step 2. Having said that, some national regulators are taking a more relaxed approach, with the UK’s ICO stating “We are not rushing to use our enforcement powers”.
What’s the “EU-US Privacy Shield”?
The short answer is that it doesn’t exist yet. In more detail: The invalidation of Safe Harbour has sent the US and the EU racing to set up an alternative. The fruit of their labour is the EU-US Privacy Shield, a new framework for transatlantic data flows that is intended to replace Safe Harbour regulations. This is still work in progress, expected to be put in place by April. It has been welcomed by some national regulators, while others have been more cautious, with the head of the Hamburg Data Protection Authority stating that DPAs are likely to classify the Privacy Shield as insufficient to ensure the appropriate level of protection for the transfer of personal data from the EU to the US.
And one final word of advice: There is currently a lot of activity in this area as the Privacy Shield is being set up to re-establish a common basis for data exports and preclude fragmentation in how privacy issues are addressed by different national regulators; this means that the rules may change again, and vendors must be ready to move quickly and adapt to the changing landscape.