Select a region
Lewisham Council has been in the news this week after its IT chief emailed education staff suggesting they consider ending their use of cloud services such as Dropbox.
His argument was that a new ruling from the EU’s Court of Justice could make using storage services based in the US illegal, or at the very least unsafe. It’s all to do with something called the Safe Harbour scheme, and the movement of data between the EU and US.
The scheme came into existence in 2000 in the US, and the reason for this is all to do with EU law. You see, under EU law it is prohibited to transfer to, or process personal data in, other parts of the world that do not provide what it called “adequate” privacy protections.
So, in order to make it easier for US-based firms – including tech giants such as Apple, Dropbox and more that deal with a lot of data – Safe Harbour was created. It is essentially an agreement between the EU and US that the American firms involved have made themselves safe to EU standards. A self-declaration of security in essence.
More than 5,000 firms have agreed and signed up.
They decided that, in the wake of the leaks from whistleblower Edward Snowden, Safe Harbour could no longer automatically be considered as a guarantee that firms provided that “adequate” protection they’re looking for. So they ruled it invalid.
This has caused some confusion (hence the Lewisham Council emails) with some businesses scrabbling to move cloud services because they think they’re breaking the law. This isn’t strictly the case as the judgement is still being analysed on many sides.
Data can still be, and is being, transferred outside the EU, but the level of legal protection it has is now being discussed.
The UK’s data watchdog, the Information Commissioner’s Office (ICO) has spoken up following the confusion in a bid to reassure the public.
In a blog post they said: “Our initial message is still valid. Don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal. The impact of the judgement on standard contractual clauses and binding corporate rules is still being analysed.
“The first thing for businesses to do is take stock. Ask yourself what personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected.
“If they include the Safe Harbor, what alternative mechanisms might you use if there’s no progress on a new Safe Harbor? But don’t rush to change, especially with the possibility that a new, improved and perhaps rebranded Safe Harbour will emerge.”
The final point is the key one there – the emergence of a re-branded Safe Harbour. Negotiations are already under way to create such a thing, with the US and EU already said to be working on a ‘Safer Harbour’ solution.
No, there’s no need to change what you’re doing on an individual basis.
Big businesses are being encouraged to work out case-by-case privacy contracts – known as model contract clauses – which essentially ask the non-EU country with privacy laws not approved by the European Commission to agree to EU levels of privacy protection on the data they receive.
Not many have spoken out, but Dropbox has moved to reassure customers about how safe its service is.
“We were one of the first, and are still one of the only, major cloud service providers to achieve ISO 27018 certification – a global standard for cloud privacy and data protection,” a spokesman for the cloud service said.
“Along with the rest of the industry, we eagerly await guidance from the European Commission on the revised Safe Harbour framework, which will help determine the most effective long-term solutions.”
