Safe Harbour agreement sinks; Cloud Direct customers swim

Rising concern among UK businesses for the security of UK and EU data transferred and stored in the U.S. came to a head last week when the European Court of Justice (ECJ) declared the EU-US Safe Harbour Framework invalid.Safe Harbour was originally designed as a ‘streamlined and cost-effective’ way for US firms to transfer data from Europe without breaking EU law. In the wake of the Snowden allegations, however, the EC J has ruled Safe Harbour invalid.

While Cloud Direct customers have nothing to worry about (all of our data is securely stored within the EU and bound by strict ISO and DPA standards), we thought it worth outlining what the sinking of the Safe Harbour agreement means for UK businesses that DO have customer data stored in the U.S.Three reasons why UK businesses probably don’t want their customer data stored in the U.S.

  1. U.S. companies can no longer self-certifyThe safe harbour agreement that was made between the EU and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US. All the US company needed to do was “self-certify” that they would protect EU data. This agreement has now been declared invalid by the European Court of Justice.
  2. U.S. businesses must now seek to strike EU model clausesSince US businesses can no longer rely on self-certification to authorise the transfer of data outside Europe, they must now incorporate the European Commission’s standard contractual clauses – commonly referred to as ‘model clauses’.
  3. A new Safe Harbour agreement could take some timeWhile the good news is that an updated Safe Harbour agreement – called Safe Harbour 2.0 – is being drawn up, the bad news is that talks between the EU and the US have been ongoing for around two years.