Writing for Business Advice, law firm Wright Hassall’s Samantha Woolley takes a close look at how Britain’s small businesses might be affected by the new personal data transfer measures set out in the EU-US Privacy Shield.
This Privacy Shield, which was announced by the European Commission on 29 February 2016, provided a revised mechanism to legitimately transfer EU citizens’ personal data to the US. Whilst we wait to see whether it will be formally adopted, small businesses that transfer data to the US should be prepared for its arrival and evaluate all data transfers made to the US.
How will the Privacy Shield affect small firms?
If your business transfers any information relating to an identifiable living EU citizen to any country outside the EU, you must comply with EU data protection rules. This includes carrying out due diligence on the companies that you transfer data to and ensuring that your contractual relationship is sufficient to safeguard any personal data transferred.
The Privacy Shield will be relevant to your business if it transfers personal data to the US by any means. Common examples of ways in which small businesses might transfer data to the US are:
- using online facilities to process payments
- outsourcing data to third-party processors in the US
- using cloud storage providers
- using a website hosting provider
If you use any of the above services, or anything similar, you should check your terms and conditions with these providers to see where the data is being processed, stored or hosted.
Why is the Privacy Shield needed?
In order to protect personal data relating to EU citizens, EU law prohibits such data being transferred to countries which do not ensure an adequate level of protection. The EU does not regard the US as having a sufficient level of protection for EU citizens’ data. However, an agreement between the EU and US known as “Safe Harbor” was established in 2000 to allow US companies to self-certify that they would adequately protect data transferred to them.
Following a high-profile case against Facebook for transferring data to the US National Security Agency (NSA), in October 2015 the EU’s court of justice ruled that Safe Harbor was no longer an adequate mechanism for transferring data to the US.
Following several months of uncertainty and negotiation, the EU and US have now agreed upon the Privacy Shield as a revised mechanism of legally transferring data to the US.
What is the Privacy Shield and how is it different to Safe Harbor?
The Privacy Shield is essentially a list of principles that US organisations can self-certify that they comply with. The principles are designed to safeguard data to the same standard as it would be protected within the EU. The US will maintain an up to date list of members which can be relied on as a basis for legally transferring data to an organisation on the list.
This is the same format as Safe Harbor, however, the principles under the Privacy Shield impose stronger obligations on companies and is more rigorous than Safe Harbor because:
- The Privacy Shield will contain limitations on the US government’s ability to access such data
- The US government has given assurances that it will not carry out mass surveillance operations on EU citizens’ data
- Compliance with the Privacy Shield principles will be actively monitored and enforced by US authorities
- There will be sanctions on companies for failure to comply
- EU citizens will have the same rights as US citizens if their privacy is breached and there will be a number of accessible avenues of redress for EU citizens
- An annual review will take place to ensure that it remains effective
What should small business owners be doing?
The current situation is uncertain because the Privacy Shield has not yet been formally implemented. Transferring data on the basis of Safe Harbor is no longer adequate – however, there are other means of legitimately transferring data to the US, such as including specific model contract clauses in agreements with US companies.
The Information Commissioners Office (ICO) guidance to UK companies is to keep up to date with the developments in this area and be ready to react swiftly when the Privacy Shield is implemented (whether in its current form or not).
What if small firms don’t comply with data protection law?
Be aware that failure to comply with the law on data protection could leave your business open to fines from the ICO of up to £500,000, which will soon increase to four per cent of annual turnover. If you transfer personal data to a US company that has not signed up to the Privacy Shield once implemented, you could be in breach of data protection legislation unless you use another approved mechanism.
It is therefore important to evaluate any data transfers outside of the EU to ensure that your organisation is compliant with the law. Talk to a solicitor for further advice or to review your current data protection arrangements.
Samantha Woolley from Wright Hassall LLP advises clients on outsourcing, technology and commercial transactions.
Sign up to our newsletter to get the latest from Business Advice.