Safe Harbor fallout: where are we now?

As we all know, the EU decided to invalidate Safe Harbor on 6 October 2015.  Please see our Insight article and blog post for a quick recap.  But what has happened since?

Article 29 WP Guidance

The most significant guidance is from the A29 WP.  The key points were:

  • International data transfers from Europe based on Safe Harbor are now unlawful;
  • Model Clauses (also known as Standard Contractual Clauses) and Binding Corporate Rules (BCRs) can still be used.  However they are under review and do not prevent individual DPAs from investigating particular cases;
  • By the end of January 2016, if no appropriate solution with the US authorities is found, EU DPAs will take “appropriate actions” (= enforcement?)
  • For more information on the Working Party statement, please see our blog post.

What do DPAs say?

Most EU DPAs have now issued statements on Safe Harbor.  Many welcomed the decision!

The UK approach is “don’t panic”.  The ICO has said that there are alternative mechanisms to Safe Harbor and recommends model clauses.

The French DPA (the CNIL) calls on companies to implement model clauses to transfer data to the US but doesn’t reference other transfer mechanisms such as BCRs or the derogations (e.g. consent).  The CNIL also re-affirms the Working Party position on possible enforcement in due course.

The most extreme position comes from the German DPA for the Schleswig-Holstein.  It disagreed with the Working Party opinion and said that neither model clauses nor consent provide a legal basis for data transfers.  However, the joint position paper of the German Federal State DPAs simply said that German DPAs will not issue “new approvals” on the basis of BCRs or data export agreements.  This is certainly “drawing a new line in the sand”.  In addition, this has slowed down German approvals of BCRs and any approvals of transfer agreements (where approval is required).  However, provided you use the standard Model Clauses, no approval is required in Germany.

What are companies doing in practice?

Companies are seeking to address the issue proactively.  Some are conducting assessments to identify what data is being transferred internationally.  Others are incorporating this within global privacy audits and programmes.  As a minimum, companies are implementing model clauses both intra-group and with vendors.  There is usually a need to prioritise the larger transfers of more sensitive information and the bigger vendor offerings to get the job done.  As we know, many vendors are offering pre-signed Model Clauses.  These need careful review.  Some strike a fair balance between strict legal requirements and a pragmatic approach but some go further.

What’s next?

We are told that the new Safe Harbor deal is imminent. But we are living in a time of uncertainty.  So risk-based decisions are required.

As you’ll have seen, the final GDPR text was released this week too!

A little more holiday reading….

Integrit – File Verification System

Integrit is a file verification system, a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report). The Integrit system detects intrusion by detecting when trusted...

Read the full post at

Bernie Sanders campaign improperly accessed Clinton voter data, DNC says

Democratic presidential candidate Bernie Sanders. (credit: Michael Vadon)

The Democratic National Committee has cut off the Bernie Sanders campaign's access to a voter database after allegations that Sanders staff members improperly viewed confidential information gathered by the campaign of Hillary Clinton.

The Sanders campaign fired the staff member who was responsible for accessing the data, according to multiple media reports. The breach was made possible by a bad patch applied by the software vendor that operates the database.

"The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters," The Washington Post reported today. "The DNC maintains the master list and rents it to national and state campaigns, which then add their own, proprietary information gathered by field workers and volunteers. Firewalls are supposed to prevent campaigns from viewing data gathered by their rivals."

Read 6 remaining paragraphs | Comments