A new data transfer agreement must be negotiated between the EU and the US by 31st January 2016, or action may be taken against businesses who continue to transfer their customer’s personal data through the US.
What does this mean for my business?
If your business stores personal data which falls under the Data Protection Act, then you need to prepare to move away from services that are based or owned in the US. You must be able to implement this move before 31st January 2016, in case the US and EU do not negotiate a new data transfer agreement.
Why has this happened?
The ultimatum comes after the EU’s ruling last week that the data transfer agreement titled ‘Safe Harbour’ which protected personal data sent through the US, was invalid. This was due to Edward Snowden’s disclosures in 2013 which revealed US global surveillance programs.
The statement was released last Friday by the Article 29 Working Party (the EU’s data protection advisory body). It stated that, ‘If by the end of January 2016, no appropriate solution is found with the US authorities…EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.’
Regarding businesses within the EU, the party noted that they ‘…should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection…’
Can I just move the services based in the US to the EU?
Currently, there is very little that businesses can do to ‘mitigate the risks’ of transferring data; the US government has jurisdiction over all US companies and their subsidiaries, regardless of their location in the world. Regrettably, this means that moving data to EU based subsidiaries will be fairly ineffective.
What if I’m asked to sign a Model Clause?
Some corporations are now depending on the EU Model Clauses; standardised clauses that allow for legitimate cross border data transfers. Although the Article 29 Working Party have said that these can still be used, there is a debate as to whether these will be the next to go.