News Archive > News Story
Goodbye "Safe Harbour", Hello "Privacy Shield"
EU data protection laws prohibits the movement of personal data to non-EU countries, unless that country ensures adequate levels of data protection are in place equivalent to those of the EU.
The 8th principle of the EU Data Protection Act 1998 states:
‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’
The safe harbour agreement was made between the European Commission and the US government in 2000, whereby US companies could store EU customer data provided they adhered to the following principles:
These principles were designed to prevent organisations from disclosing or losing personal information. In the US companies could opt-in by ‘self-certifying’ their intention to abide by the principles and answering 15 additional questions raised within the Directive.
Unfortunately, self-certification was voluntary and only organisations regulated by the US Federal Trade Commission or the Department of Transportation were able to participate. This resulted in a large number of American institutions being excluded from this requirement.
A number of organisations in subsequent years expressed concerns over the ability of the US to provide sufficient oversight of this ‘self-regulated’ scheme and their overall commitment to privacy was brought into question.
The Patriot Act 2001 (which came into force after the September 11 attacks, to strengthen security), allows the FBI to search telephone, email and financial records without a court order; including access to business records, including library and financial records, as well as a host of other controversial proviso’s.
In June 2011, Gordon Frazer, Microsoft’s managing director, dropped a bombshell by stating that cloud data, regardless of its location, was not protected against the Patriot Act.
In October 2015, the High Court of Ireland ruled the US does not offer sufficient protection against surveillance by public authorities. The court held that US companies were bound to disregard, without limitation, the protective rules laid down by Safe Harbour and held that the Safe Harbour principles were therefore invalid because they did not require all organisations working with EU data to comply with it.
Earlier this month, the EU and US announced a new framework to provide EU citizens with greater protection of their data through the EU-US Privacy Shield. The US has provided assurances that clearer limitations, safeguards and oversight of the mechanisms used to store and use this data will be implemented across all US organisations. The policy will be reviewed annually and EU authorities will play a constructive role in supporting this new agreement.
We wait in anticipation of further details of the new scheme still to be announced.
|[LIVE: 237] Build by Red Line IT|