Recent data breaches at TalkTalk and Ashley Madison served as a reminder that not even large organisations are immune to data security attacks
Small to medium business enterprises (SMEs) often work in tandem with a number of organisations, involving the movement of personal data between different organisations and/or countries.
Many businesses, particularly those with limited resources use cloud service providers based in the USA for data storage and backup solutions.
Data protection legislation requires that personal data must not be transferred to a country outside of the European Economic Area without an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The European Commission has previously approved certain mechanisms that will achieve this outcome, including:
- Where the transfer is to a country where the EU Commission has made a ‘positive finding of adequacy'
- If the transfer was to the USA, where the US recipient of the data had signed up to the US Department of Commerce Safe Harbour Scheme
- Where adequate safeguards can be put in place
In October, in the EU Court of Justice, Austrian privacy campaigner, Mr Schrems, challenged Facebook's reliance on the safe harbour regime as the legitimate basis for transferring personal data of its members to the USA.
Within the judgment the question of massive and indiscriminate surveillance was a key element of the court's analysis, and was considered to be incompatible with the EU legal framework for protection of personal data. Consequently transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society are not considered as safe destinations for data transfers.
The court ruled the safe harbour regime was invalid. The terms of the judgment cast doubt on the future validity of other transfer mechanisms given data transfer is likely to be accessed by intelligence services whether in the US or elsewhere.
What do SMEs need to do?
1) There is no need to rush to change.
The Information Commissioner's Office advises businesses should take stock of their data transfer arrangements. Consider:
- What personal data is being transferred outside of the EU?
- Where is it going?
- Are there adequate protections measures in place?
- What alternative mechanisms might be used if there is no progress on a new safe harbour?
2) The
underlying message from the recent Schrems decision was about unacceptable,
massive and indiscriminate surveillance. Consequently, relying on any other
methods of data transfer outside of
the EEA may not be satisfactory in the long-term
3) Seek advice from a specialist business lawyer about whether changes are required to contracts with cloud service providers
4) Investigate the possibility of encryption. A robust key management arrangement is crucial to maintain the level of protection encryption can offer
If there are data breach complaints, a cloud SME customer would need to show it had taken appropriate steps to ensure its use of cloud services ensures an appropriate level of protection for the rights of data subjects.
John
Deane leads the commercial law team at Slater and
Gordon Lawyers
Get in touch by visiting slatergordon.co.uk or call Freephone 0808 175 8000
