Most businesses will know if they have US suppliers or US customers. But many businesses will not realise that the companies they use for IT services, website-hosting, email or mailing services have servers based in the US. And a recent European Court ruling means that those companies could now be inadvertently breaching European data security rules.
Data protection is one of those areas that has traditionally received a relatively bad press, although I think we can all agree that when it comes to protecting our own personal information from unauthorised use and disclosure, the complex regulations governing data security are a good thing. We frown, quite rightly, when HMRC or an NHS Trust lose a laptop or leave a memory stick on the train – such reckless disregard for customer and patient data should of course, be punished.
But the world of data security was rocked by a European Court decision last week that when being reported in the media, came across as a ban on Facebook sending people’s personal information to the US. The decision extends far beyond Facebook and in reality, Facebook has done absolutely nothing wrong. The Court has simply frowned on a legal principle that has stood for many years, but the judgment is important for any business that deals with the US.
Allow me to explain.
The Data Protection Act 1998 says that businesses that process personal data (and, in today’s global market place, most businesses do) must comply with the eight data protection principles. And one of those principles says: “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
In other words, no business can send its employees’, suppliers’ or customers’ personal information outside the European Economic Area, such as to the US, unless the recipient of that information will protect it adequately from unauthorised use or disclosure.
Traditionally, the US regulations on data protection were somewhat below the standards adopted in the UK and across Europe, and hence UK businesses could not transfer personal information to US businesses because those US businesses did not provide “an adequate level of protection”. This, of course, would make pan-Atlantic trade impossible, and this was quickly recognised by both the US and the European authorities. So the US introduced the ‘Safe Harbor’ principle and invited US businesses to sign up for it if they could demonstrate that they went above and beyond US data protection requirements, and voluntarily agreed to abide by European data rules.
IT companies in the US quickly realised the benefit of signing up to ‘Safe Harbor’, because it meant that they could continue to transfer data to and from businesses in Europe, and many leading IT companies have been signatories to ‘Safe Harbor’ for years.
And that’s great. Until this week.
When the European Court ruled that the ‘Safe Harbor’ principle was no longer valid.
So, what does this mean in reality?
It means that for UK and European businesses, for the transfer of personal information to businesses in the US, they cannot rely on the ‘Safe Harbor’ principle any more, and must re-evaluate their contracts to ensure they contain appropriate clauses requiring the US business to comply with UK data protection rules. It means that UK and European businesses can only transfer data to those US companies who voluntarily agree to adopt that “adequate level of protection”.
Yes, it will increase costs, and yes, it will cause delays, and yes, it will cause existing contracts to have to be renegotiated, but that’s now an inevitability. Any contract between a UK business and a supplier, service provider or customer outside the European Economic Area where personal information passes between the two should now be reviewed and amended to contain additional clauses on the subject of data protection to ensure that the US company treats that personal information with the same level of care as required by UK law. If this doesn’t happen UK businesses will have failed to comply with the data protection principles under the Data Protection Act 1998, for which there are now fines of up to £500,000 per instance!
It is hoped that the US and UK authorities will agree a new pan-Atlantic treaty to replace the ‘Safe Harbor’ in the not-too-distant future...but we won’t hold our breath.
If your business trades overseas, whether in the US or anywhere else, and you would like clarification as to whether this new ruling affects your business and, if so, what steps your business needs to take to remain compliant with the Data Protection Act 1998, then please contact any member of BPE’s Commercial Team for advice.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.