Home Knowledge Storm Clouds in the Harbor?

Storm Clouds in the Harbor?

August 5, 2013
Partner
Leo Moore

The US Department of Commerce’s International Trade Administration (ITA) has issued a guidance document to address concerns from businesses and data protection organisations regarding the adequacy of Safe Harbor in facilitating compliance with EU data protection laws for cloud computing services based in the US.

The EU Data Protection Directive provides that personal and sensitive personal data may only be transferred outside of the EU/EEA to countries which have a formally recognised “adequate level of protection” for such data or an equivalent to such. The EU Commission issued a decision in 2000 that determined Safe Harbor would be adequate for the purpose of data protection compliance, but the emergence of cloud computing has brought with it some challenges yet to be addressed.

Questions over the adequacy of Safe Harbor as it relates to cloud computing were flagged in an opinion published in July 2012 by the Article 29 Working Party (an EU-wide grouping of data protection regulators). The opinion raised several concerns over the cloud computing business model in terms of its compliance with the Directive’s adequacy requirements, in particular noting that self-certified compliance with Safe Harbor by itself may not be sufficient to guarantee compliance with the Directive and that evidence of appropriate data protection standards may also be required. The ITA guidance document provides assurance that the “existing Safe Harbor Privacy Principles are comprehensive and flexible enough to address the issues raised by the cloud computing model”. In doing so, the guidance document details the contractual obligations of US cloud service providers and addresses issues raised by the Article 29 Working Party in relation to the adequacy of Safe Harbor. The ITA believes that EU data protection authorities do not have the power to unilaterally refuse to recognise Safe Harbor self-certification as valid.

The ITA concludes that Safe Harborcontinues to offer eligible US organizations…an officially recognized means of complying with the Directive’s “adequacy” requirement”. The US guidance document is intended to offer some certainty to those businesses that either offer cloud computing services from the US or that wish to avail of the advantages that can be gained from this growing sector. However, given the increased powers of EU data protection authorities under the new draft Data Protection Regulation, there is sure to be more debate on this difference of interpretation between the EU and the US.

Contributed by: David Cullen

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all