The European Court’s declaration today that the European Commission’s fifteen year old decision on the US Safe Harbor scheme is no longer reliable is another recognition that Data Protection requires continuing assessment, rather than one-off decisions. European regulators have been recommending for years that neither data controllers nor companies to which they export data should rely on Safe Harbor certification alone. The U.K. Information Commissioner has published a guide to data controllers on how to assess whether exporting personal data involves unacceptable risks. He considers such assessments an acceptable way to satisfy the export requirements (Principle 8) of the Data Protection Act 1998.
Janet and Jisc have always followed this approach in discussions with cloud providers – not relying on Safe Harbor, but seeking additional contractual and operational measures to protect personal data. We therefore believe that these agreements should continue to be a good basis for customers’ risk assessments in whatever regime may follow from today’s judgment.
Safe Harbor is already being reviewed by the European Commission and US authorities, with a new legal provision currently awaiting approval from the US Congress. The new Data Protection Regulation, expected to be agreed within the next year, will also alter the legal situation that the Court was considering. With these changes already under way it seems unlikely that the Information Commissioner will expect data controllers to change existing arrangements in the short term – certainly not before his office has had time to review the judgment and its own guidance.
[UPDATE] As information becomes available for each of Jisc’s agreements with cloud providers, we’ll publish it on the relevant group for each agreement:
