Is Safe Harbour No Longer Safe?
The Court of Justice has today declared that the Commission’s US Safe Harbour Decision is invalid.
This will mean that any lender who uses a server provider which transfers information to the US is now not exempt from the ICO checking that US firms were taking adequate data protection measures.
The Court of Justice stated:
Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.
The European Commission is expected to hold a press conference today in relation to this.
Our previous blog on using Amazon and Google as a server provider has raised interest already. It would seem that on top of the FCA wanting to be able to attend the physical office where your servers are held you should now ensure that you do further due diligence on the provider checking that they have adequate measures in place for data protection. Personal data should no longer be transferred to US bodies solely on the basis they are Safe Harbour-certified.
Bearing in mind that Authorisation applications are still continuing it would be wise to be proactive. Do further due diligence on your server provider and ensure that they send you a new contract with standard data protection clauses which will, hopefully, give comfort to the FCA.