Latest Public Sector News

Dealing with personal data in the absence of safe harbor

Information management expert David Haynes writes on the public sector implications of the collapse of the transatlantic ‘Safe Harbor’ data privacy rules, and what the future holds for public sector IT procurement in the light of recent changes.

Globalisation of business has presented many challenges and some benefits for the public sector. On the one hand it presents greater choice, more competition, higher standards and economies of scale. This might be expected to bring down costs; instead of a few national suppliers, governments and public service providers have access to a much wider range of services. 

The downside of globalisation is the loss of national sovereignty. It has proven very difficult to regulate transnational enterprises, which are able to play governments off against one another. This can be on the level of bidding wars to secure a new manufacturing plant, through to tax avoidance schemes where the profits are effectively exported to low-tax territories. Without a co-ordinated response from governments, this is a difficult hole to plug. There are parallels with regulation of personal data held by transnational corporations. 

Risk of a data protection breach 

To some extent the Data Protection Directive (European Commission 1995) was seen as an international regulatory regime across the EU. One of the provisions of the Directive is the principle that data controllers (including local authorities, central government departments and other public sector bodies) should not export personal data to territories that do not protect personal data. Using outsourced IT services, payroll and accounting services, online HR functions, or even using Google Docs, Outlook 365 or Dropbox exposes UK organisations to the risk of breaching the Data Protection Act (1998). Inevitably, personal data will end up in the cloud and many of these depend on a distributed architecture to ensure resilience and ease of disaster recovery. 

If organisations do export personal data, they need to make sure there are appropriate measures in place to protect that data to a similar standard to that provided by the EU legislation. 

There is no general data privacy legislation in the United States. Regulation of personal data is by industry, so there are specific provisions for the insurance and health industries, for instance. This does not cover IT service providers in general. 

The self-regulatory approach was considered to be a balance between the desirability of lowering trade barriers between the EU and the United States and the need to ensure that EU citizens’ privacy rights are protected. 

The development of Safe Harbor 

Concerns that the data protection regimen in the EU might be a barrier to trade with the US led to the development of the US-EU Safe Harbor agreement (International Trade Administration 2009). Although this is based on an agreement between the European Commission and the US authorities, it is a voluntary arrangement with no external verification of registrations required. 

As far back as 2002, commentators were concerned about the fundamental differences in approach to data protection in Europe and the United States. Safe Harbor, as a self-regulatory scheme, has been considered weak and with many loopholes. It has not been rigorously enforced by the Federal Trade Commission. 

The end of the agreement 

Despite its shortcomings, the EU-US Safe Harbor Agreement has persisted for some time. However, in 2015 the European Court of Justice (ECJ) ruled that the agreement was no longer admissible for demonstrating compliance with Principle 8 of the Data Protection Directive, governing the transfer of personal data outside the EU. 

The ECJ ruled on the basis that there was no guarantee that a business would not be compelled to pass on personal data to security agencies such as the National Security Agency in the US and that this would constitute a breach of “the right to respect for his private and family life” (ECHR & Council of Europe 1950). 

The UK regulator, the Information Commissioner’s Office (ICO), emphasises that the Safe Harbor framework was only one way of allowing transfer of personal data. Others include: 

• Contracts such as End-User Licence Agreements (EULAs) used by software companies or other terms of service agreements.
• Binding corporate rules that ensure data protection principles are followed are also acceptable. Some international corporations have created European data centres which are ring-fenced to ensure that personal data is not transmitted outside the EU.
• Finally, there is always the option of individual consent by data subjects. 

In February 2016, the European Commission and the US Federal Trade Commission announced a new framework, the EU-US Privacy Shield, as a replacement for the Safe Harbor Agreement. According to the announcement, under the new arrangement US companies “will need to commit to robust obligations on how personal data is processed”. Enforcement will be monitored and the “US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement”. 

Cloud services 

Cloud services present a particular challenge, because the location of servers is not always obvious. Popular services store data outside the EU and this fact may be hidden in the smallprint of any agreement. If entering a contract, public authorities need to clarify: 

• The location of the data centre
• The location of back-up sites
• How the data is transmitted
• Precautions taken to protect personal data (for instance by data encryption)
• Measures taken to prevent eaves-dropping by security agencies, hackers, foreign intelligence agencies and terrorists 

Public bodies in the UK are subject to scrutiny by the ICO for compliance with the Data Protection Act 1998. Asking basic questions of service providers can give some reassurance about the measures being taken to protect personal data. However, enforceable contractual agreements along with technical measures such as encryption will help to ensure that personal data is protected. This needs to be supported by the establishment of robust procedures for handling personal data and for monitoring compliance as part of internal information governance. It also means keeping the public informed of any changes to data handling or major data breaches. 

Further advice is available from the ICO. The International Privacy Conference has also proposed some non-legislative measures for improving compatibility (standardisation) of privacy protections across the Atlantic. 

About the author 

David Haynes is an information manager and project manager who has worked extensively throughout the public sector in the UK and overseas. He completed a doctorate on the regulation of access to personal data in 2015 at City University London where he is also a visiting lecturer on Information Management.

Tell us what you think – have your say below or email [email protected]