United States Data Transfers

United States data transfers as well as other transfers of personal data outside of the EEA are tightly controlled, our focus is on transfers to US cloud servers.

At the moment managers responsible for information security and data protection throughout the European Economic Area including the UK are looking at how to solve a new challenge regarding privacy. This is due to the judgment of the Court of Justice of the European Union (ECJ) in case C-362/14 of Maximillian Schrems v Data Protection Commissioner handed down on the 06th October 2015.

UK companies, **actually it applies to all companies within the EEA, suddenly find that they have to review their use of US clouds to store personal data as it could be illegal.

Maximillian Schrems v Data Protection Commissioner
In a nutshell , the ECJ ruled that the European Commission’s approval fifteen years ago of the Safe Harbour framework developed between the US Department of Commerce and the European Commission allowing US companies to comply with the EU Data protection Directive (95/46/EC) is invalid. According to the ECJ the data Protection Directive provides that international transfer of personal data outside the EEA to a third country must provide an adequate level of protection. The ECJ decided that the US did not provide such protection for a number of specific reasons including that the EU citizen’s personal data was not always being used for the purposes for which it was originally collected. Mr Schrems was able to successfully challenge Facebook’s transfer of his personal data to servers located in the United Sates. Facebook’s reliance on the Safe Harbour Scheme was rejected.

So to simply have a clause that reads as follows is no longer valid following the ruling (**companies will have some time to comply with the new ruling):

” [ ] shall comply with the appropriate safe harbour provisions regarding entering into any required data transfer agreements.”

Where is the data being stored?
The most important question to ask is where is the data being processed or stored? If it’s in the United States the solution is to move down the path of EU model clauses.

**Who is likely to be affected by United States data transfers?
Any business that provides a technology based product such as a web application (web app) or a mobile application (mobile app) basically a client-server software application which runs on a web browser or a mobile operating platform such as IOS or Android or other type of software to multinational companies or is likely to collect or process data outside of the EEA is likely to be affected.

What can we do abut United States data transfers?
Companies need to create data processing agreements that contain model clauses which would be sent out with their standard contracts, and to understand their responsibilities so that they can highlight any necessary changes internally. In other words, the following is needed: (1) **A model international data transfer controller to controller agreement which includes transfers outside the EEA that is compliant with the new ruling; and (2) **model contractual clauses for the international data transfer controller to processor agreement which includes transfers outside the EEA including the US.

**You will need both types of agreements if you are storing data in the cloud in the US. The latter will require two types of clauses, firstly, controller to controller clauses – where you are passing data to a US company that is managing the data independently, or your client is outside the EEA; secondly, controller to processor clauses – where you are transferring the data to a US company that is processing the data on your behalf.

What are the EU Model Clauses?
(*The European Commission is authorised to make findings that certain standard contractual clauses offer sufficient safeguards under Article 26(4). These are : i. Controller to Controller Model Contractual clauses 2001 – ii. Controller to Controller Model Contractual clauses 2004 – iii. Controller to Processor Model Contractual clauses 2010 (the “EU Models”). Other than the EU Models there is no model as yet produced by the UK Information Commissioner, or any other European regulatory body, that will be EU compliant *to replace Safe Harbor.

**What are the challenges with the EU Models?
A few of the challenges you face with respect to the EU model clauses are:

1. Exposure to full liability of a security breach with compensation which is un-capped.
2. Allowing access to data processing facilities.
3. Getting written consent from clients to change or introduce sub-processors.
4. Provide sub-processing agreements to clients.
5. That data subjects are allowed to bring a claim against them in the event that they can’t bring a claim against the client.

**Action
It is advisable to seek specialist advice to understand the extent of your risk exposure when using the EU Model clauses.

If you like this article on US data transfers then you might like our articles on:

Data processing agreements

To obtain a quotation, please contact us at (020) 7305-7491 or at peter@pailsolicitors.co.uk. We would be delighted to assist you. Mr Peter Adediran is the owner and principal solicitor at PAIL® Solicitors.  Subscribe to our newsletter to get blog post updates and other information about the firm straight to your inbox.

*These amendments were added to this article on the 12/11/2015 at 12:15 GMT
**These amendments were added to this article on the 20/11/2015 at 12:15 GMT