Is Safe Harbor still safe for assessment data?
Posted by John Kleeman
A European legal authority last week advised that the Safe Harbor framework which allows European organizations to send personal data to the US should no longer be legal. I’d like to explain what this means and discuss the potential consequences to those delivering assessments and training in Europe.
What European data protection law says about transfers outside Europe
According to European data protection law, personal data such as assessment results or course completion data can only leave Europe if an adequate level of protection is guaranteed. All organizations with European participants must ensure that they follow strict rules if they allow personal data to be transferred outside Europe. Data controllers can be fined if they don’t comply.
A few countries, including Canada, are considered to have an adequate level of protection. But in order to send information to the United States and most other countries outside Europe, it’s necessary to ensure that each data processor who has access to the data guarantees its protection. This includes every processor and sub-processor with access to the data including data centers, backup storage vendors and any organization that accesses the data for support or troubleshooting purposes. Even if data is hosted in Europe, the rules must still be followed if there is any access to it or any copy of it in the US.
There are two main ways in which US organizations can bind themselves to follow data protection rules and so be legitimate processors of European data: the EU Model Clauses or Safe Harbor.
EU Model Clauses
The EU Model Clauses are a standard set of contractual clauses, several pages long, which a data processor can sign with each data controller. Signing signifies a commitment to following EU data protection law when processing data. These clauses cannot be changed or negotiated in any way. Questionmark uses these EU model clauses with all our sub-processors for Questionmark OnDemand data to ensure that our customers will be compliant with EU data protection law.
An alternative to the EU model clauses in the US is Safe Harbor. Safe Harbor (formal name – the US-EU Safe Harbor Framework) is run by the US Department of Commerce and allows US companies to certify that they will follow EU rules for EU data without needing to sign the EU model clauses. You can certify once, and then it applies to all your customers. It’s very widely used, and most large US organizations in assessment and learning are Safe Harbor certified, including Questionmark’s US company, Questionmark Corporation. You can see a full list at http://safeharbor.export.gov/list.aspx.
There is some concern, particularly in Germany, that Safe Harbor is not well enough enforced, so some organizations like Questionmark also use the EU Model Clauses. For example, Microsoft offer these for their cloud products. But Safe Harbor is widely used to ensure the legality and safety of European data sent to the US.
The legal threat to Safe Harbor
Last week, the advocate general of the Court of Justice of the European Union made a ruling that the Safe Harbor scheme should no longer be legal. He argues that the widespread government surveillance by the US is incompatible with the privacy rights set out in the EU Data Protection directive, so the whole of Safe Harbor should be invalidated. His ruling is not yet binding, but rulings by advocate generals are often confirmed and made binding by the court, so there is a genuine threat that Safe Harbor could be suspended.
Negotiations on data protection are underway between the US and Europe, and it is likely that this will be resolved in some way. But there are significant differences in attitude on data protection between Europe and the US. Much anger remains about Edward Snowden’s revelations about US surveillance, so the situation is hard to predict.
What can organizations do to protect themselves?
It’s likely that a deal will be found and that Safe Harbor will remain safe. And if it is ruled illegal, this is going to affect the whole technology sector, not just learning and assessment. But it’s a further argument to use a European vendor for assessment and learning needs and/or one who is familiar with and has their suppliers signed up to the EU Model Clauses.
For more information and background on data protection, see Questionmark’s white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities. John Kleeman will also be presenting at the Questionmark Conference 2016: Shaping the Future of Assessment in Miami, April 12-15. Click here to register and learn more about this important learning event.