Architecture

EU Safe harbour ruling & how that affects Salesforce

Today the EU/US Safe Harbour agreement was deemed to be invalid by the EU’s highest courts. The EU Safe Harbour ruling could have a significant impact on how companies handle data in Salesforce or other computer systems.

EU Data Protection law:

 

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

 

(Part 1 of Schedule 1 to the DPA).

The safe harbour agreement was created nearly 15 years ago to protect EU citizens data if it is being processed in the US; this is because the data protection laws in the EU are stricter than the US. Essentially US companies needed to sign up to the EU/US Safe Harbour agreement before handling EU data from EU citizens. By agreeing to the Safe Harbour agreement, the US company is essentially saying that they are protecting the data in line with Safe Harbour framework that is compliant with EU data protection laws.

But Edward Snowdon changed this…

The judgement says that Facebook couldn’t possibly sign the agreement (which it has) due to the secret data-snooping laws in the US. When Data protection issues were “first discovered” 15 years ago it meant that an international company like Salesforce wouldn’t even be allowed to see the details of its employees it had in the EU from outside the EU and the Safe Harbour framework agreement was setup to fix this. But, in Facebook’s case it’s now down to Ireland (where Facebook is registered in the EU) to decide its fate… but what about the rest of the industry…

What does this mean for Salesforce & your data?

Safe Harbour has had issues, and Salesforce has been quick off the mark to implement the “model clauses”. US companies can put these model clauses in their contracts to say how they are protecting the data to comply with EU data protection law. Because Salesforce has created the model clauses it does make things easier as Salesforce is saying that they are following the standard model clause template as created by the EU Data Commission. But you do need to sign and send these to Salesforce, check out the Salesforce FAQ for more information.

What does this mean for other providers you use?

What other applications are used that process EU citizen’s information? Any AppExchange applications? Remember all it takes is two pieces of identifiable information eg Name & Email address. How and where is the information processed? have you done your due diligence? If the providers haven’t implemented the model clauses already think about doing the following:

  1. Conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects (EU employees/customers etc) to; or
  2. if you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or
  3. consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.

 

Disclaimer: I’m no lawyer and this doesn’t constitute legal advice so please seek professional advice.

Load More By Francis Pindar
Load More In Architecture

Check Also

How secure are your #Salesforce AppExchange Apps?

If you work in a regulated industry like ...

Subscribe via Email

Enter your email address to subscribe and receive notifications of new posts by email.

My Latest YouTube Video

Upcoming Events

  1. London’s Calling 2019

    8 March, 2019 @ 8:30 am - 8:00 pm

Follow me on Twitter

Currently reading

From Goodreads

  • Book cover

    Your Baby Week By Week: The ultimate guide to caring for your new baby

    Caroline Fertleman

  • Book cover

    How to Bake

    Paul Hollywood

  • Book cover

    Saving Bletchley Park: How #socialmedia saved the home of the WWII codebreakers

    Sue Black