Data Protection and Privacy: Important developments

Jamie ArmstrongPosted by Jamie Armstrong

As Associate Legal Counsel at Questionmark, I spend a lot of time thinking about data protection and privacy law issues. There have been many important developments over recent months, and I thought it would be interesting for our readers if I summarized just three of these below. I may look at others and/or consider those mentioned here in more detail in a future blog post. With a dedicated in-house technical and legal team, Questionmark is continuously monitoring changes in this field and my role helps to ensure that Questionmark is ahead of the curve in protecting our customers.

1. For around fifteen years, organizations transferring personal data from the European Union to the United States were able to rely on the US-EU Safe Harbor Agreement as a legal basis for such transfers. The Safe Harbor Agreement allowed organizations to self-certify compliance with certain data protection standards. In October 2015, the Court of Justice of the EU invalidated the EU decision that underpinned this arrangement. This meant that organizations transferring relevant data had to review their arrangements to ensure such transfers remained legal by different means, such as the EU Standard Contractual Clauses or Binding Corporate Rules – Safe Harbor can no longer be relied on for transfers of EU personal data to the US.

2. The final text of the new General Data Protection Regulation (“GDPR”) was agreed in April this year, and the GDPR will have legal effect from May 2018. From that date, the GDPR will replace the current Data Protection Directive and will apply in all EU member states without any implementing national law required. This should help multinational organizations with compliance, as there will be more uniformity than there is now. The GDPR includes some new obligations, like requiring appointment of a data protection officer in certain cases, hence the two year lead in period to allow organizations time to prepare. The GDPR is relevant for organizations based outside the EU as it has broader effect when EU personal data processing is involved.

3. After Safe Harbor was invalidated, the US and EU authorities worked together on a replacement, known as the Privacy Shield. The initial agreed text received a cool response in Europe and was subsequently revised to address concerns, including around possible continued surveillance in the US and insufficiency of the Ombudsman role created to consider complaints. It is expected that the mechanics of the Privacy Shield will operate similarly to Safe Harbor (but with stricter requirements), with voluntarily compliance certification to the US Department of Commerce possible from August 1 of this year. Unlike the EU Standard Contractual Clauses and Binding Corporate Rules, the Privacy Shield, as with Safe Harbor, will only apply to transfers of data from the EU to the US. The collective of EU data protection authorities have recently said they will not legally challenge the Privacy Shield for at least a year, to provide an opportunity to gauge how this operates in practice.

With the above representing a very simplified summary of just three important recent developments in the data protection and privacy law field, organizations that control and process personal data clearly need to maintain a heightened level of vigilance to be positioned to respond to the shifting landscape. Check back here for updates on these and other relevant developments in future blog posts.

Disclaimer: This blog post is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

For more on Questionmark’s commitment to security, check out the video below:

Is Safe Harbor still safe for assessment data?

John Kleeman HeadshotPosted by John Kleeman

A European legal authority last week advised that the Safe Harbor framework which allows European organizations to send personal data to the US  should no longer be legal. I’d like to explain what this means and discuss the potential consequences to those delivering assessments and training in Europe.

What European data protection law says about transfers outside Europe

According to European data protection law, personal data such as assessment results or course completion data can only leave Europe if an adequate level of protection is guaranteed. All organizations with European participants must ensure that they follow strict rules if they allow personal data to be transferred outside Europe. Data controllers can be fined if they don’t comply.

Data controller has data processors which have sub processorsA few countries, including Canada, are considered to have an adequate level of protection. But in order to send information to the United States and most other countries outside Europe, it’s necessary to ensure that each data processor who has access to the data  guarantees its protection. This includes every processor and sub-processor with access to the data including data centers, backup storage vendors and any organization that accesses the data for support or troubleshooting purposes. Even if data is hosted in Europe, the rules must still be followed if there is any access to it or any copy of it in the US.

There are two main ways in which US organizations can bind themselves to follow data protection rules and so be legitimate processors of European data: the EU Model Clauses or Safe Harbor.

EU Model Clauses

EU FlagThe EU Model Clauses are a standard set of contractual clauses, several pages long, which a data processor can sign with each data controller. Signing signifies a commitment to following EU data protection law when processing data. These clauses cannot be changed or negotiated in any way. Questionmark uses these EU model clauses with all our sub-processors for Questionmark OnDemand data to ensure that our customers will be compliant with EU data protection law.

Safe Harbor

An alternative to the EU model clauses in the US is Safe Harbor. Safe safe harborHarbor (formal name – the US-EU Safe Harbor Framework) is run by the US Department of Commerce and allows US companies to certify that they will follow EU rules for EU data without needing to sign the EU model clauses. You can certify once, and then it applies to all your customers. It’s very widely used, and most large US organizations in assessment and learning are Safe Harbor certified, including Questionmark’s US company, Questionmark Corporation. You can see a full list at http://safeharbor.export.gov/list.aspx.

There is some concern, particularly in Germany, that Safe Harbor is not well enough enforced, so some organizations like Questionmark also use the EU Model Clauses. For example, Microsoft offer these for their cloud products. But Safe Harbor is widely used to ensure the legality and safety of European data sent to the US.

The legal threat to Safe Harbor

Last week, the advocate general of the Court of Justice of the European Union made a ruling that the Safe Harbor scheme should no longer be legal. He argues that the widespread government surveillance by the US is incompatible with the privacy rights set out in the EU Data Protection directive, so the whole of Safe Harbor should be invalidated. His ruling is not yet binding, but rulings by advocate generals are often confirmed and made binding by the court, so there is a genuine threat that Safe Harbor could be suspended.

Negotiations on data protection are underway between the US and Europe, and it is likely that this will be resolved in some way. But there are significant differences in attitude on data protection between Europe and the US.  Much anger remains about Edward Snowden’s revelations about US surveillance, so the situation is hard to predict.

What can organizations do to protect themselves?

It’s likely that a deal will be found and that Safe Harbor will remain safe. And if it is ruled illegal, this is going to affect the whole technology sector, not just learning and assessment. But it’s a further argument to use a European vendor for assessment and learning needs and/or one who is familiar with and has their suppliers signed up to the EU Model Clauses.

For more information and background on data protection, see Questionmark’s white paper:  Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities. John Kleeman will also be presenting at the Questionmark Conference 2016: Shaping the Future of Assessment in Miami, April 12-15. Click here to register and learn more about this important learning event.