Since my earlier post, Is Safe Harbor still safe for assessment data?, the European Court of Justice has ruled that the Safe Harbor mechanism under which many transfers of personal data from Europe to the US take place is no longer valid. Here is how Questionmark customers typically remain safe in spite of this invalidation.
What is the EU-US Safe Harbor Framework?
The EU-US Safe Harbor Framework was established by the European Commission and the US government in 2000 to facilitate transfers of personal data from the EU to eligible US companies that certify to and comply with the Safe Harbor principles. You can see more about Safe Harbor at the US government website: http://www.export.gov/safeharbor/.
What did the European Court of Justice decide on 6 October 2015 regarding the EU-US Safe Harbor Framework?
Essentially, the European Court of Justice decision means that the EU-US Safe Harbor Framework does not provide a valid legal basis within the European Union for transfers of personal data from Europe to the US. The Court reached this conclusion by invalidating the European Commission’s 2000 decision approving Safe Harbor as adequately protecting personal data.
What does the European Court of Justice decision mean for the use of Questionmark OnDemand by organizations based in the EU?
Questionmark has been following these developments and has been aware of concerns about Safe Harbor for some time. Questionmark has measures in place with its non-EU subcontractors who hold OnDemand data. These arrangements include the EU Model Clauses which were not invalidated by the European Court of Justice.
If you are using our European OnDemand service, then all data is hosted in the European Union. In the rare cases that data leaves the European Union, for example for troubleshooting purposes, we have EU Model Clauses in place with any non-EU subcontractors to ensure that any such data transfer is legal, and we regularly review the security of such subcontractors.
Most EU customers of Questionmark use our European OnDemand service, but if you are an EU customer using our US OnDemand service, then this service is delivered from our US data center. However, providing your contract with or invoice from Questionmark is with Questionmark Computing Limited, the UK headquarters company of Questionmark, then you should have no cause for concern. Questionmark is legally obliged to follow UK data protection law. Also, we have EU Model Clauses in place with Questionmark Corporation, and through the corporation with the US data center that delivers the US OnDemand service. So we do not rely on Safe Harbor for personal data stored within Questionmark OnDemand.
What does the European Court of Justice decision mean for the use of Questionmark OnDemand by an organization based outside of the EU?
Organizations without EU personal data will not be concerned about this ruling, which only applies to transfers of personal data from the EU. Questionmark continues to place the highest value on security for all our customers, and this legal ruling doesn’t change that.
If you have EU personal data and you are not based in the EU, please raise any questions you may have about this with your account manager at Questionmark. We will do everything we can to help you.
What about the US Patriot Act? Is my data stored with Questionmark vulnerable to legal action under the Patriot Act?
Unlike many technology vendors, Questionmark is headquartered in Europe. This means that the services we offer from Europe to our European customers are resistant to legal action within the US, such as under the Patriot Act.
Questionmark’s European OnDemand Service is run by a UK company using a European owned data center operator.
What if I am using Questionmark Perception?
If you are using Questionmark Perception your organization hosts the data and is responsible for compliance with local, and potentially, international laws. So so you need to seek independent legal advice as to whether your systems are configured correctly and whether your subcontractors have signed up to the EU model clauses. You will not normally need to send personal data to Questionmark, however, it may be necessary for us to ask for a copy of your Perception database to troubleshoot an issue, and if you do so, we will treat this securely. If you have any concerns about this process as a result of the Safe Harbor ruling, please raise with your account manager. You may also want to consider migrating to Questionmark OnDemand – please contact your account manager for further information.
This blog post has been written and is provided for general informational purposes only. The content of this blog does not constitute legal advice of a general or specific nature, and readers should consult an attorney to establish how these recent developments impact their organizations.