This article was first published in the April 2016 UK edition of Accounting and Business magazine.

The question of whether it is safe to send personal European data across the Atlantic to servers in the US is not, as you might suppose, a cyber security issue, but about the data protection and privacy laws for countries in the European Union. 

Until recently, organisations could rely on the principle of ‘safe harbour’, an agreement between the EU and the US that protected personal EU data from prying eyes. But this agreement collapsed following whistleblower Edward Snowden’s revelations that data collected by European companies but stored in the US was being misused, with US companies accused of cooperating with the US National Security Agency’s Prism surveillance programme.

Matters came to a head last October when the European Court of Justice (ECJ) ruled that the safe harbour agreement, including a series of principles concerning the protection of personal data to which US organisations voluntarily subscribed, was invalid. This ruling followed legal moves in Ireland by a 27-year-old Austrian student, Max Schrems, who complained to the Irish data protection commissioner that his privacy was at risk because the Irish subsidiary that held his Facebook data also used servers located in the US.

The 4,400 or so organisations that had been taking advantage of the agreement therefore had to take action quickly to protect themselves and their customers’ data while an updated safe harbour agreement was thrashed out. Action has included the use of appropriate contract clauses, binding corporate rules, public interest grounds or, if there are no other grounds, individual consent.

Bearing fruit

Prior to the ECJ ruling, the EU and US had been working on an updated version of safe harbour, but the Schrems case added impetus to the negotiations, which began to bear fruit when an agreement of principles for a ‘privacy shield’ was signed in February.

The European Commission described privacy shield as an improvement on safe harbour. It sets out obligations on companies handling Europeans’ personal data, robust enforcement, safeguards and transparency obligations on US government access, and effective redress. EU commissioner Vera Jourová says: ‘For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area.’

However, many observers are keeping their counsel until the detail of the deal has been thrashed out. Mark Thompson, privacy practice leader at KPMG, says: ‘The agreement is good news for companies, as a number were clearly going to struggle from a financial and operational point of view with the uncertainty surrounding the movement of personal data. It is likely to take a few weeks until we see the full details of the written agreement. I expect once we have this, some robust challenges will remain around the implementation of the newly coined privacy shield agreement.’ It is ‘an ever-evolving story’, he adds.

Brian Hengesbaugh, a privacy lawyer at Baker & McKenzie in the US, agrees. The privacy shield, he says, is ‘critical for data protection and for the digital economy on both sides of the Atlantic’. The 11th-hour deal was, he says, good news, as national data protection agencies could have begun enforcement proceedings against companies that had not taken steps to implement alternative data protection policies in the absence of safe harbour. ‘The irony is that the shield may offer better protection than model clauses or binding corporate rules or other solutions because it will have features such as an ombudsperson set up to hear complaints about national security surveillance,’ he says.

However, there are a number of hoops to jump through before the agreement can stand up. The Article 29 Working Party, an umbrella group for EU data protection authorities, will need to review the shield before the EU College of Commissioners adopts a fuller ‘adequacy decision’. And at the same time, the US will need to put the necessary preparations in place for the new framework, monitoring mechanisms and a new ombudsman.

Still exposed

In the meantime, companies could still be exposed to legal action. ‘There are still so many unanswered questions,’ says Deirdre Kilroy, head of the intellectual property and technology team at Irish law firm LK Shields, ‘and there is a huge business need for clarity. Many business models are built on crossborder flows of data.’ 

She suggests that, for the time being at least, and until there is more meat on the bones of the agreement and it has been approved at EU level, the safest position is for organisations to keep track of the latest guidance from their data regulator, and if possible not to export personal data to the US.

Data security companies agree. Marlon Johnson, managing director of the UK’s JMS Secure Data, describes the privacy shield deal as being as clear as mud. ‘Our view is that you have to put in place provisions to safeguard your data if you are going to transfer it, and our advice is to not transfer it to the US but keep it in the EU, as we can give guarantees around security if it is kept here.’

Johnson adds that companies should carry out a data protection and security health check to identify any weaknesses or training requirements. But he adds that, even under safe harbour, many businesses – smaller companies, in particular – were ‘absolutely not’ aware of their obligations. He adds: ‘This is understandable as their main focus is on actually running the business. Because of issues such as hacking, business owners are starting to wake up and smell the coffee, but there is still a lack of understanding.’

Johnson highlights the position of accountants working in and with small businesses – how should they be safeguarding their data and making sure they comply with data protection regulations? Even if an accountancy firm uses an external IT consultancy to provide its IT services, Johnson points out that ‘ultimately it is your responsibility as the data controller’.

This is particularly relevant for those businesses moving their systems to the cloud. ‘If you are using the cloud, what is your understanding of it? Where is the data kept? Who has control of it? What are the encryption protocols?’ asks Johnson.

The UK’s Information Commissioner’s Office, which is responsible for data protection issues in the UK, accepts that there is still a lack of certainty surrounding the privacy shield, but in the meantime recommends that organisations use standard contract clauses and binding company rules to protect themselves if they are looking to transfer data to the US. ‘Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis so they are in a good position to act should they need to,’ advises Steve Wood, head of policy delivery at the Information Commissioner’s Office.

Thompson agrees, adding that with new regulations on data in Europe coming down the road, organisations need to build sustainable and flexible privacy environments as they seek to use personal data for their own business ends. He says: ‘The new general data protection regulation is on the horizon, and organisations need to understand that this issue is one of many that they need to address in a pragmatic manner.’

Philip Smith, journalist