The Article 29 Working Party, a committee made up of representatives from the data protection regulators of European Union (EU) member states, has said that the self-certification process involved in Safe Harbor is not sufficient for customers to make sure that the providers of cloud services are compliant with data protection laws.
Under the eighth data protection principle of the Data Protection Act 1998, transfers of data cannot be made to organisations outside of the European Economic Area (EEA) without certain safeguards in place. The Safe Harbor is a scheme set up between the US and the EU whereby US organisations can meet the data protection requirements set out in the EU’s Data Protection Directive (and therefore the eight data protection principle); those organisations can join Safe Harbor by self-certifying their compliance.
The Article 29 Working Party recently released an opinion in which it stated that, due to the nature of cloud services and a customer’s lack of knowledge of exactly where the customer’s data is at any point in time, customers should obtain more protection and certainty than Safe Harbor provides. Rather, customers should ask registrants of Safe Harbor to provide evidence showing that the relevant data protection laws are complied with.
The Article 29 Working Party also said that data controllers looking to transfer data outside of the EEA by using the cloud should and check the service provider’s standard terms to make ensure compliance with the EU’s data protection laws, as well as:
- use the standard contractual clauses, which are EU-approved, for transferring data outside of the EEA; or
- have in place binding corporate rules (known as BCRs), which are approved by the relevant data protection regulator in the member state where the data controller is based, that ensure compliance.
You have to wonder what is the point of Safe Harbor, if standard contractual clauses or binding corporate rules would work without Safe Harbor?