Safe Harbour = Invalid. EU Data USA: big problem !
Discussion
www.bbc.co.uk/news/technology-34442618
"A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid.....
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections. So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps."
Well Safe Harbour is now invalid. Period. The BBC article above frames it as a Facebook problem but further reading reveals its much much bigger than that !
We use Mailchimp (not checked status yet), Rackspace (data confirmed to be residing in Illinois, cant specify EU location) and AWS (already specified data to reside in EU Zone).
Not sure where this topic goes tbh. Computers, legal or business !
"A pact that helped the tech giants and others send personal data from the EU to the US has been ruled invalid.....
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections. So, to make it easier for US firms - including the tech giants - to function, Safe Harbour was introduced to let them self-certify that they are carrying out the required steps."
Well Safe Harbour is now invalid. Period. The BBC article above frames it as a Facebook problem but further reading reveals its much much bigger than that !
We use Mailchimp (not checked status yet), Rackspace (data confirmed to be residing in Illinois, cant specify EU location) and AWS (already specified data to reside in EU Zone).
Not sure where this topic goes tbh. Computers, legal or business !
This is a massive issue - I wrote about it in the business forum today but it was deleted as I may have been a little over eager to offer my help in resolving the legalities for other PHers, but that is being dealt with by the mods at the moment.
Essentially, every company in the UK that holds or supplies their data to a third party in the U.S. is now definitely and without the ambiguity of 'SafeHarbor' (American term) now breaking the law as of today.
As the OP mentions, if you host in the U.S., if you use a U.S. email marketing provider, use a U.S. SaaS CRM or pass EU citizen data from your office in London to that in New York you're now breaking the law (there is a get out on the last point which I'll happily explain if anyone cares).
The Data Protection Act 1998 has always stated that you cannot pass EU data outside the EU but the U.S. shrugged and created a self cert system called SafeHarbor where U.S. companies promised to be 'adequate' when it came to EU data processing.
Their Self Cert promise has and never has had any bearing on EU law, but muddied the water enough for EU businesses not to worry about it.
It is now clear, SafeHarbor is invalid and you cannot hold your data in the U.S.
I've been bleating on about this for several years, here's a post from 2010 -
To the OP, we use Rackspace too, all our servers are physically in the UK, Uxbridge I think, and mirrored elsewhere in the country by them - perhaps they can migrate you back to the UK in light of today's ruling?
Essentially, every company in the UK that holds or supplies their data to a third party in the U.S. is now definitely and without the ambiguity of 'SafeHarbor' (American term) now breaking the law as of today.
As the OP mentions, if you host in the U.S., if you use a U.S. email marketing provider, use a U.S. SaaS CRM or pass EU citizen data from your office in London to that in New York you're now breaking the law (there is a get out on the last point which I'll happily explain if anyone cares).
The Data Protection Act 1998 has always stated that you cannot pass EU data outside the EU but the U.S. shrugged and created a self cert system called SafeHarbor where U.S. companies promised to be 'adequate' when it came to EU data processing.
Their Self Cert promise has and never has had any bearing on EU law, but muddied the water enough for EU businesses not to worry about it.
It is now clear, SafeHarbor is invalid and you cannot hold your data in the U.S.
I've been bleating on about this for several years, here's a post from 2010 -
To the OP, we use Rackspace too, all our servers are physically in the UK, Uxbridge I think, and mirrored elsewhere in the country by them - perhaps they can migrate you back to the UK in light of today's ruling?
Thanks for the update and the info about Rackspace Donny.
This mornings Guardian has more details:
www.theguardian.com/commentisfree/2015/oct/07/data...
This mornings Guardian has more details:
www.theguardian.com/commentisfree/2015/oct/07/data...
This could be a big headache for us. We're currently mid-build on a system to centrally manage 1200 websites around the world along with all the user data - the majority of which will be hosted on servers in Virginia.
I'm just off to break the news to our client. Ultimately it's their problem - we're just code monkeys
I'm just off to break the news to our client. Ultimately it's their problem - we're just code monkeys
Just in discussions with Rackspace.
Apparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
Apparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
Edited by Chimune on Wednesday 7th October 13:47
Chimune said:
Just in discussions with Rackspace.
Apparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
It's not Jamie - he was with Register1 and now at Serverstream I believe.Apparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
Edited by Chimune on Wednesday 7th October 13:47
Chimune said:
Just in discussions with Rackspace.
Apparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
Thought that Microsoft's Office 365 implementation in Europe used Ireland and Holland for it's locationsApparently only the Office 365 servers are in Uxbridge. All the hosted exchange ones are in Illiois.
Migrating 200 accounts to another provider is going to be a ball ache !
Do I remember a racker being on ph ?
<edit> JamieBeeston ??
Edited by Chimune on Wednesday 7th October 13:47
From Rackspace:
"We do not have any email infrastructure outside of the US at present for our hosted Exchange or Rackspace Email products. Office 365 is on Microsoft servers, which are in Dublin and Amsterdam - so that might be an option if you're not able to store any data in the US."
I cant see a quick or painless way out of this. Defo not using 365 !!
Re: Mailchimp. No phone numbers, or live chat etc. Got to submit some form somewhere ffs.
"We do not have any email infrastructure outside of the US at present for our hosted Exchange or Rackspace Email products. Office 365 is on Microsoft servers, which are in Dublin and Amsterdam - so that might be an option if you're not able to store any data in the US."
I cant see a quick or painless way out of this. Defo not using 365 !!
Re: Mailchimp. No phone numbers, or live chat etc. Got to submit some form somewhere ffs.
Edited by Chimune on Wednesday 7th October 14:48
mackie1 said:
Would using New Relic (application performance monitoring - hosting in Illinois) fall foul of this do you think? They have a mode that strips out anything potentially sensitive.
Can't see it being a problem as it's not dealing with any personal data. It's one of the few bits of our infrastructure I'm not worrying about at the moment 
Some interesting follow up that I don't pretend to fully understand: http://www.theregister.co.uk/2015/10/07/us_cloud_g...
Like the whole Safe Harbour thing, this looks to be more about muddying the water again than anything else.
Like the whole Safe Harbour thing, this looks to be more about muddying the water again than anything else.
It is muddying the water, it's a nonsense.
You can only hold EU data in the USA if you have written consent of the data owner (you and me, not the organisations that collected it) explicitly confirming they specifically consent to having their personal data held in the U.S.
Nothing else will do.
It's not like a simple soft opt-in where the tick box is already ticked saying I'll send you marketing or you agree to x,y,z, it has to be explicit written consent - always has.
The ECJ has confirmed SafeHarbor is invalid, meaning it's always been invalid. We, in the UK, are covered by the Data Protection Act 1998 which confirms data cannot be held or processed outside of the EU without explicit consent and 'adequate' controls/protection.
U.S. SafeHarbor do not provide this and never have as this ruling shows.
To the OP, back to the Rackspace issue, we only use them for physical servers which are in the UK we don't use them for email for obvious reasons... It's what we do
You can only hold EU data in the USA if you have written consent of the data owner (you and me, not the organisations that collected it) explicitly confirming they specifically consent to having their personal data held in the U.S.
Nothing else will do.
It's not like a simple soft opt-in where the tick box is already ticked saying I'll send you marketing or you agree to x,y,z, it has to be explicit written consent - always has.
The ECJ has confirmed SafeHarbor is invalid, meaning it's always been invalid. We, in the UK, are covered by the Data Protection Act 1998 which confirms data cannot be held or processed outside of the EU without explicit consent and 'adequate' controls/protection.
U.S. SafeHarbor do not provide this and never have as this ruling shows.
To the OP, back to the Rackspace issue, we only use them for physical servers which are in the UK we don't use them for email for obvious reasons... It's what we do
Podie said:
judas said:
It's not Jamie - he was with Register1 and now at Serverstream I believe.
I believe JB no longer has interests with either. I was at a presentation/conference where this was discussed today.
It seems that subject data access requests and complaints to firms around where data is stored will force regulators (in any of the EU members) to enforce it.
Firms own governance and policy frameworks will need to be clearly evidenced and then probably tested in court.
What a mess.
It seems that subject data access requests and complaints to firms around where data is stored will force regulators (in any of the EU members) to enforce it.
Firms own governance and policy frameworks will need to be clearly evidenced and then probably tested in court.
What a mess.
My understanding is that model clauses aren't as preferable as Safe Harbour. I believe the latter was US govt backed in essence, whereas the former is a point to point agreement between two companies (which the US govt could ride roughshod over for example, as companies in the US tend to also need to comply with govt directives).
I've seen model clauses accepted, but only after lengthy legal discussions between both parties - the willingness of both is key here... I work for an organisation that would rather the US didn't exist I think where data is concerned...
I find the whole data protection thing overly complicated and risible in many ways. I am pretty sure that many of those dp gurus I've spoken to, seemingly in fear of their lives, are Twittered and Facebooked to the max anyway.
I've seen model clauses accepted, but only after lengthy legal discussions between both parties - the willingness of both is key here... I work for an organisation that would rather the US didn't exist I think where data is concerned...
I find the whole data protection thing overly complicated and risible in many ways. I am pretty sure that many of those dp gurus I've spoken to, seemingly in fear of their lives, are Twittered and Facebooked to the max anyway.
Podie said:
Just trying to understand the implications of this....
In simple terms, do not keep or send any data to the U.S., if you have data there, get it out and find an alternate supplier of those services if they go not have a European subsidiary.Massively simplified obviously, but that's it in a nutshell.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff