Today the EU/US Safe Harbour agreement was deemed to be invalid by the EU’s highest courts. The EU Safe Harbour ruling could have a significant impact on how companies handle data in Salesforce or other computer systems.
EU Data Protection law:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
(Part 1 of Schedule 1 to the DPA).
The safe harbour agreement was created nearly 15 years ago to protect EU citizens data if it is being processed in the US; this is because the data protection laws in the EU are stricter than the US. Essentially US companies needed to sign up to the EU/US Safe Harbour agreement before handling EU data from EU citizens. By agreeing to the Safe Harbour agreement, the US company is essentially saying that they are protecting the data in line with Safe Harbour framework that is compliant with EU data protection laws.
But Edward Snowdon changed this…
The judgement says that Facebook couldn’t possibly sign the agreement (which it has) due to the secret data-snooping laws in the US. When Data protection issues were “first discovered” 15 years ago it meant that an international company like Salesforce wouldn’t even be allowed to see the details of its employees it had in the EU from outside the EU and the Safe Harbour framework agreement was setup to fix this. But, in Facebook’s case it’s now down to Ireland (where Facebook is registered in the EU) to decide its fate… but what about the rest of the industry…
What does this mean for Salesforce & your data?
Safe Harbour has had issues, and Salesforce has been quick off the mark to implement the “model clauses”. US companies can put these model clauses in their contracts to say how they are protecting the data to comply with EU data protection law. Because Salesforce has created the model clauses it does make things easier as Salesforce is saying that they are following the standard model clause template as created by the EU Data Commission. But you do need to sign and send these to Salesforce, check out the Salesforce FAQ for more information.
What does this mean for other providers you use?
What other applications are used that process EU citizen’s information? Any AppExchange applications? Remember all it takes is two pieces of identifiable information eg Name & Email address. How and where is the information processed? have you done your due diligence? If the providers haven’t implemented the model clauses already think about doing the following:
- Conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects (EU employees/customers etc) to; or
- if you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or
- consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.
Disclaimer: I’m no lawyer and this doesn’t constitute legal advice so please seek professional advice.