Safe Harbour = Invalid. EU Data USA: big problem !
Discussion
DonnyMac said:
In simple terms, do not keep or send any data to the U.S., if you have data there, get it out and find an alternate supplier of those services if they go not have a European subsidiary.
Massively simplified obviously, but that's it in a nutshell.
More specifically aren't the laws around "personally identifying" data and "without permission"? Massively simplified obviously, but that's it in a nutshell.
ie as long as the data cannot be used to identify an individual you're OK. And even if it can identify an individual, if they give their permission for data to be stored without EU protections then that's ok too....?
Granted that rules out a lot of things. But by no means all.
(For anyone freshly concerned about this, the US isn't the only country the legal guys get itchy about ime. Places like India can also be problematic)
My understanding is that it applies to the EEA and not just the EU. Whether it includes Switzerland is a bit iffy.
Technical question.
If one has personal data already in the US, is it possible to put it out of reach of the NSA by, perhaps, deleting it? Is deletion even possible.
The ICO have suggested, in a press release, that compliance might take time. One assumes this is meant as a promise not to prosecute. Given this period of grace to establish systems, what is the liability of Data Protection Officers if they continue to send data to the USA in compliance with previous systems?
A significant decision, one where the implications are wide ranging. There will be some surprises I think.
In essence, what the decision says is that international agreements cannot override national governments. So no surprise there. It also shows that the American attitude to privacy is fundamentally different to that of this country.
One possibility is that the USA will now have to negotiate with each individual country in the EEA. So no problems with bureaucracy then.
But, as the OP stated, not a surprise. The only thing wrong with Safe Harbour was not the way it was spelt. It was a fudge from the start. It was hardly in compliance with the DPA.
Technical question.
If one has personal data already in the US, is it possible to put it out of reach of the NSA by, perhaps, deleting it? Is deletion even possible.
The ICO have suggested, in a press release, that compliance might take time. One assumes this is meant as a promise not to prosecute. Given this period of grace to establish systems, what is the liability of Data Protection Officers if they continue to send data to the USA in compliance with previous systems?
A significant decision, one where the implications are wide ranging. There will be some surprises I think.
In essence, what the decision says is that international agreements cannot override national governments. So no surprise there. It also shows that the American attitude to privacy is fundamentally different to that of this country.
One possibility is that the USA will now have to negotiate with each individual country in the EEA. So no problems with bureaucracy then.
But, as the OP stated, not a surprise. The only thing wrong with Safe Harbour was not the way it was spelt. It was a fudge from the start. It was hardly in compliance with the DPA.
Murph7355 said:
DonnyMac said:
In simple terms, do not keep or send any data to the U.S., if you have data there, get it out and find an alternate supplier of those services if they go not have a European subsidiary.
Massively simplified obviously, but that's it in a nutshell.
More specifically aren't the laws around "personally identifying" data and "without permission"? Massively simplified obviously, but that's it in a nutshell.
ie as long as the data cannot be used to identify an individual you're OK. And even if it can identify an individual, if they give their permission for data to be stored without EU protections then that's ok too....?
Granted that rules out a lot of things. But by no means all.
(For anyone freshly concerned about this, the US isn't the only country the legal guys get itchy about ime. Places like India can also be problematic)
But what can you do with that data other than sort, segment, then action back with the UK/EU?
I change DonnyMac@company.com to xyzUK12345 as a unique identifier, fulfilling my obligations to not hold his data within the U.S., then what, he goes into an automated marketing programme and is spat out as being interested in widgets, I can't email him, call him or send snail mail directly from my location, it has to go back to his country of origin to be actioned.
So you may as well run the segmentation and marketing programmes from the EU to start with otherwise you're adding an additional layer of complexity for your IT department (who hopefully won't cock-up), linking data via an automated API between compliant and non-compliant states with the Bork factor this includes and Dave the new marketing intern sending the full CSV off to his opposite number in the U.S. to be efficient.
Why take the risk?
This is good news for us in the UK, we have a window of opportunity to both grab back digital customers from the States in the short term and have US Corps invest in infrastructure here in Europe in the mid term.
Murph7355 said:
DonnyMac said:
In simple terms, do not keep or send any data to the U.S., if you have data there, get it out and find an alternate supplier of those services if they go not have a European subsidiary.
Massively simplified obviously, but that's it in a nutshell.
More specifically aren't the laws around "personally identifying" data and "without permission"? Massively simplified obviously, but that's it in a nutshell.
ie as long as the data cannot be used to identify an individual you're OK. And even if it can identify an individual, if they give their permission for data to be stored without EU protections then that's ok too....?
Granted that rules out a lot of things. But by no means all.
(For anyone freshly concerned about this, the US isn't the only country the legal guys get itchy about ime. Places like India can also be problematic)
I note the Guardian's comments pages were mainly about the EU stuffing it to the NSA. These people really have no idea.
SS7
El Guapo said:
I don't pretend to understand what this is all about, but are people assuming that the NSA only ever peek at data on servers that are physically located in the US?
This isn't really about the NSA and/or FaceBook, it's just that it makes for an easy-to-understand news story for the media, whom don't seem to understand the story either - yesterday they voiced over images of tug boats, storms and a port to visualise SafeHarbor (!?).The story is that EU data is not deemed to be protected sufficiently in the U.S. and so cannot be stored or sent there.
If it were specifically about a threat of collection by the NSA (or any other non EU agency for that matter) it is my understanding that the vast majority of this data is collected in transit rather than targeted by nation state hacking so I'd guess there would be an easy fix to the legislation requiring encrypted transit.
There's no requirement for encrypted transit as the ruling is the data isn't protected once outside the EU, not how it gets outside the EU.
Does this also not mean that people cannot even look at EU personal data whilst outside the EU?!
Say for instance I had an email marketing SaaS product that I used, everything stored in the EU. I go to America on holiday and decide to have a quick look at who has opened my latest email campaign. Even looking at the data has now transferred some data to caches on the computer I'm using, possibly even CDN caches in America. I've now broken EU law...
Or how about EU data on a USB drive that I take with me outside of Europe...
These regs are idiotic, helping no one but forming more red tape, just like the stupid EU cookie law.
Say for instance I had an email marketing SaaS product that I used, everything stored in the EU. I go to America on holiday and decide to have a quick look at who has opened my latest email campaign. Even looking at the data has now transferred some data to caches on the computer I'm using, possibly even CDN caches in America. I've now broken EU law...
Or how about EU data on a USB drive that I take with me outside of Europe...
These regs are idiotic, helping no one but forming more red tape, just like the stupid EU cookie law.
Rackspace formal reply:
http://blog.rackspace.com/eu-ruling-on-safe-harbor...
So as many suggested would happen, they are relying on other 'model clauses' and agreements. This just makes it harder for SMEs to work out what their next steps should be.
http://blog.rackspace.com/eu-ruling-on-safe-harbor...
So as many suggested would happen, they are relying on other 'model clauses' and agreements. This just makes it harder for SMEs to work out what their next steps should be.
We like RackSpace, we use them (in the UK) but words such as - Should, cannot advise, rare event, data transfer mechanisms prove insufficient - included in the blog confirm that it's just noise and until this mess is sorted they're not compliant for EU data.
Edited by DonnyMac on Thursday 8th October 12:55
DonnyMac said:
We like RackSpace, we use them (in the UK) but words such as - Should, cannot advise, rare event, data transfer mechanisms prove insufficient - included in the blog confirm that it's just noise and until this mess is sorted they're not compliant for EU data.
Agreed (except the bit about liking Rackspace - my experiences with them have not been good) - it's all so much fluff and noise.Derek Smith said:
My understanding is that it applies to the EEA and not just the EU. Whether it includes Switzerland is a bit iffy.
....
It does. And Switzerland is one of the deemed safe territories. (The Swiss also much prefer Safe Harbour than model clauses).....
DonnyMac said:
...
But what can you do with that data other than sort, segment, then action back with the UK/EU?
...
This is good news for us in the UK, we have a window of opportunity to both grab back digital customers from the States in the short term and have US Corps invest in infrastructure here in Europe in the mid term.
It depends what you're using the data for...though I grant you there are limited uses where bringing it back to do "something" with it wouldn't be involved.But what can you do with that data other than sort, segment, then action back with the UK/EU?
...
This is good news for us in the UK, we have a window of opportunity to both grab back digital customers from the States in the short term and have US Corps invest in infrastructure here in Europe in the mid term.
As for whether the UK could benefit...possibly. Though personally I suspect there are a number of other tech savvy countries in the EU who are in a much better position.
shoestring7 said:
I've never seen a DP statement asking the data subject's permission to store their data outside of the EU/EEA. The UK's DPA prevents it anyway. The main impact of the ruling is that Data Controllers are going to be forced to implement individual contracts with their US supplier that are compliant and replace Safe Harbor. Lots of work for corporate lawyers; no improvement in any meaningful sense to anyone really.
...
Does the UK DPA prevent it? I wonder how many people accept the terms and conditions of use for various websites and how many of those are storing data in the EU.......
Totally agree on the lawyer front. And the extent to which model clauses can be drawn out by them beggars belief
DonnyMac said:
El Guapo said:
I don't pretend to understand what this is all about, but are people assuming that the NSA only ever peek at data on servers that are physically located in the US?
This isn't really about the NSA and/or FaceBook, it's just that it makes for an easy-to-understand news story for the media, whom don't seem to understand the story either - yesterday they voiced over images of tug boats, storms and a port to visualise SafeHarbor (!?).The story is that EU data is not deemed to be protected sufficiently in the U.S. and so cannot be stored or sent there.
If it were specifically about a threat of collection by the NSA (or any other non EU agency for that matter) it is my understanding that the vast majority of this data is collected in transit rather than targeted by nation state hacking so I'd guess there would be an easy fix to the legislation requiring encrypted transit.
There's no requirement for encrypted transit as the ruling is the data isn't protected once outside the EU, not how it gets outside the EU.
If the US government wanted to get to your data it would be easier where it is (because provided they had a good enough reason for the UK government to give them the nod they could hack to their heart's content and blame it on the Chinese) than it would be in the US, where there are some restrictions.
I disagree, as do the facts.
Meta data is captured whilst in transit across the Atlantic, this is the vast majority of data which is collected, by which agency and for whom is immaterial.
I think it is well known that GCHQ and the NSA collect data on each other's citizens in a mutual, let's circumvent our own laws, sort of way.
You will not be directly hacked unless this meta data flags you as someone of interest.
However, this isn't the story, this is about SafeHarbor being invalid, the ramifications and how to rectify it.
Meta data is captured whilst in transit across the Atlantic, this is the vast majority of data which is collected, by which agency and for whom is immaterial.
I think it is well known that GCHQ and the NSA collect data on each other's citizens in a mutual, let's circumvent our own laws, sort of way.
You will not be directly hacked unless this meta data flags you as someone of interest.
However, this isn't the story, this is about SafeHarbor being invalid, the ramifications and how to rectify it.
Murph7355 said:
Does the UK DPA prevent it? I wonder how many people accept the terms and conditions of use for various websites and how many of those are storing data in the EU....
The DPA prevents it by law.A websites T&Cs won't cover this, it will be covered in their Privacy Policy, which must be published at the point of data collection.
The DPA prevents a company putting in a stipulation in their Privacy Policy allowing for data to be held outside the EU.
You need explicit written consent from the data subject, this is a far, far higher bar than a simple tick box saying I agree to x, y, z, it has to be a statement confirming this single issue of storage outside the EU.
I'm wondering if anyone can shed any light on the response to this from Salesforce? We've been sent a Data Processing Addendum which we're told will implement the 'Model Clauses' which they say follow the standard model clause template as created by the EU Data Commission.
I've been trying to read around the subject but I'm just a simple marketing man with no legal experience and no real knowledge of the DPA. I've found some sites that seem to suggest this will be fine while others suggest that the Model Clauses will likely be reviewed now that Safe harbour has been deemed invalid.
So, if we sign the DPA does this mean that we are (for the time being) protected. Or are Salesforce simply trying to sell us false assurances because they're trying to avoid a mass exodus of business from all of their EU clients?
I've been trying to read around the subject but I'm just a simple marketing man with no legal experience and no real knowledge of the DPA. I've found some sites that seem to suggest this will be fine while others suggest that the Model Clauses will likely be reviewed now that Safe harbour has been deemed invalid.
So, if we sign the DPA does this mean that we are (for the time being) protected. Or are Salesforce simply trying to sell us false assurances because they're trying to avoid a mass exodus of business from all of their EU clients?
King David said:
I'm just a simple marketing man with no legal experience and no real knowledge of the DPA.
"Signs the DPA"? If you work for a corporate you need to speak to legal. If you don't have access then this is your source: https://ico.org.ukIf you or any business you're managing is storing/using/collecting personal data then you have to register (easy on-line) and comply. No ifs or buts.
SS7
shoestring7 said:
King David said:
I'm just a simple marketing man with no legal experience and no real knowledge of the DPA.
"Signs the DPA"? If you work for a corporate you need to speak to legal. If you don't have access then this is your source: https://ico.org.ukIf you or any business you're managing is storing/using/collecting personal data then you have to register (easy on-line) and comply. No ifs or buts.
SS7
Unfortunately we fall squarely within the 'S' part of SME so no easy access to legal.I'll take a look at the link you posted, thanks!
SS7 is referring to registering with the Information Commissionors Office which you must do. Doesn't take long.
Not having read the info from SF I'd be hugely disappointed if they were using the term DPA for one of their internal procedures as everyone in the UK recognises that as the Data Protection Act.
Naughty.
Not having read the info from SF I'd be hugely disappointed if they were using the term DPA for one of their internal procedures as everyone in the UK recognises that as the Data Protection Act.
Naughty.
DonnyMac said:
SS7 is referring to registering with the Information Commissionors Office which you must do. Doesn't take long.
Not having read the info from SF I'd be hugely disappointed if they were using the term DPA for one of their internal procedures as everyone in the UK recognises that as the Data Protection Act.
Naughty.
Yup, they start the document by abbreviating Data Processing Addendum to DPA and continue to use that abbreviation throughout the document.Not having read the info from SF I'd be hugely disappointed if they were using the term DPA for one of their internal procedures as everyone in the UK recognises that as the Data Protection Act.
Naughty.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff