The European Court’s scrapping of the US-EU Safe Harbour agreement has raised some confusion and concern within the UK education and research sector. Fortunately, there’s no need to panic.
Two weeks ago the Court of Justice of the European Union (CJEU) decided that the Safe Harbour agreement, which was concerned with the transmission of personal data to the US, was invalid.
This means that in certain circumstances US regulation is now no longer considered as providing adequate protection to personal data to the level required by European law.
The upshot is that data which previously passed to the US by relying solely on the Safe Harbour agreement will now have to use other mechanisms, such as technical measures or suitable clauses in contracts with service providers, to satisfy the requirements of European regulators.
Why is this of such interest to the UK research and education?
Education and research are global activities and there are lots of reasons why institutions export personal data, for example when they are engaged in collaborative research or teaching, or when they’re using services from overseas providers.
To be clear, not all of these arrangements relied on the Safe Harbour agreement. For example, Safe Harbour was never applied to data transfers to US universities, public sector and non-profit organisations, so this activity should be unaffected.
Where the change is most likely to have an effect is in agreements with American commercial services that process personal data - for example, through cloud computing or outsourcing arrangements.
If institutions are using cloud services such as data storage or application suites through agreements with US-based companies, they now need to have a close look at their agreements to ensure individuals’ rights still have adequate protection.
We’re advising organisations that have made direct agreements with US-based service providers to adopt the same three-step process that we’re following at Jisc:
- Identify activities which involve transferring personal data out of Europe
- Consider whether these depend on Safe Harbour, or if adequate protection of individuals’ rights is provided by other means. The world’s top service providers are in the process of responding to the Safe Harbour judgement. Our dedicated community groups have the latest details on the responses relating to Janet Cloud Services, Microsoft Office 365, Google Apps, Amazon Web Services, and File Sync and Share
- Agree improved protection for activities where this is needed
There is no need to panic or rush. The UK regulator has indicated that data exporters will be allowed a reasonable period of time to consider whether arrangements need to change.
How can Jisc help?
The CJEU’s decision provides one more example of how cloud services continue to be influenced by legislation, regulations, technical development and evolving best practice around the globe.
It demonstrates why organisations need to remain knowledgeable in these areas to safely benefit from the opportunities inherent in using cloud services.
At Jisc we have always followed a continuing, multiple-mechanism approach to data protection rather than rely on one-off decisions such as Safe Harbour.
In discussions with cloud providers we have persistently sought additional and contractual measures to protect personal data, and we believe that the agreements we have reached for our customers should continue to be a good basis for customers’ risk assessments in whatever regime may follow Safe Harbour.
The cloud services team at Jisc takes the leading role in drawing together expertise and knowledge and brokering cloud services for the research and education sectors. If institutions are concerned about what this latest development means for them, we encourage them to check the latest news on Jisc's cloud agreements, or contact us at firstname.lastname@example.org.