UK watchdog offers 'safe harbor' advice on US data transfers David Smith, deputy information commissioner, said businesses should "take stock" of their data transfer arrangements and review whether they provide adequate protection of personal data, as is required by EU law. Smith's comments follow a ruling by the Court of Justice of the EU (CJEU) earlier this month. The CJEU ruled that …
""Of course transfers can always be made on the basis of an individual’s consent"
No that should not be the case, as that is asking someone to sign away their rights because they need gas or electricity, etc. Deciding not to deal with a given company because they are going to send my data to the US is often not an option, as you may only have one or two suppliers and enough do it to make competition on that basis impractical.
If I decide to deal with a US company that is one thing, but any company claiming to operate in the EU should not be allowed to break basic rights in return for slightly cheaper IT back-end supply.
Of course transfers can always be made on the basis of an individual’s consent
If you look at the surrounding statements, it is clear that he's arguing that freely given consent shouldn't be relied upon to put a company in safe legal territory, rather than claiming consent overrides legal requirements.
I seem to remember that the UK census personal information was to be processed by a US company in the US, so that is everyone in the UK in the NSA data base. I also thought that I read that one of the GCSE exam companies processed the data in the US.
It would therefore appear that Smith is covering his arse and that of several other people.
I seem to remember that the UK census personal information was to be processed by a US company in the US,
Wrong. The England, Wales & NI data was processed by a UK company in Manchester, England, giving over a year's employment to several hundred people. The systems were built by the UK subsidiary of Lockheed Martin - that's what you are "remembering" - who handed them over to the Office for National Statistics before the Census started.
The Scotland data was processed in Scotland - can't remember who was involved there.
They were also paid to support the system after the fact. That to me implies IMO that they had access to the data passing through it too.
I can't speak for Lockheed Martin, but whenever I've been roped in to help with support calls to do with our software we often end up being given access to either customer systems or the files they have been using - both of which could easily have what would normally be considered confidential data.
I wonder what level of access they had?
They were also paid to support the system after the fact. That to me implies IMO that they had access to the data passing through it too.
...
I wonder what level of access they had?
None whatsoever. All comms were managed by C&W, and LM were not even allowed on-site at the data processing centres. They did provide support such as fault diagnosis and correction using their own pre-production systems - undoubtedly made more difficult by the fact that no data from the live systems was transferred to them.
I can be as anti-US as the next person, and indeed I am currently advising a customer NOT to go to a cloud-based solution because of US legislation. But as far as I know the Census had all proper safeguards in place.
Every school student in UK starting from primary school and any parent signed up to keep track of their homework via Edmodo is in a USA database. Additionally, the consent entry on that database specifies that for subjects above 13y old (which includes the parents) they can do with that data as they please. Get 'em young I say, that data would be useful later.
are we talking about data transferred to Talk Talk? :)
(Yet to hear anything meaningful from the ICO about whether T/T took "appropriate" measures to protect customer data - my instinctive view is that there is a vague possibility that they could perhaps, maybe, have done a little more?)
It is quite simple: an agreement/contract is not worth the paper that it is written on if:
* the FBI/NSA/... comes knocking
* the company goes bust and the administrators sell off your data
The USA is complaining about the EU judgement, but it has a simple solution: legislate, some laws that guarantee personal data protection, something that all civilised countries should have anyway. Such laws are, however, unlikely since a lot of money is made dealing in personal information and the senators will not do anything to upset their corporate pay masters.
'Breached but perhaps not.destroyed'?
The desperation shown here really is palpable and pityful. They're desperate to see life in something that's already been declared dead. They don't want an effective system, they just want an easy life - just look at their desperate search for reasons to avoid actually taking on complaints.
Safe harbour isn't resting, stunned or merely pining for the fjords. There's no risk of Safe Harbour going 'Voom'. Safe Harbour has passed on. Safe Harbour is no more. Safe Harbour has ceased to be. Safe Harbour has expired and gone to meet its maker. Safe Harbour is a stiff. Bereft of life, it rests in peace. (with apologies to Monty Python)
Since Safe Harbour has been declared invalid it's somewhat of a puzzle how the ICO could continue to justify using model clauses or BCRs. They never go anywhere near explaining *WHY* they think BCRs or model clauses are still acceptable beyond shrugging and telling us 'well, they haven't been thrown out in a court yet, just don't blame up if things change' (trying to come to any determination themselves would mean - shock, horror! - WORK)
https://www.whatdotheyknow.com/request/legitimacy_of_other_measures_use
I suppose expecting the ICO to actually do some work would be considered a 'kneejerk' reaction...
If they were reciprocal.
Getting FDA approval is horribly long, complicated and expensive. If I could just have a model contract for doctors saying that we intend to obey the law in some other country - and that was acceptable to the FDA it would be fantastic.
Seeing as big Dave has got his guns out and is aiming point blank at the Lords, then maybe we should get our pennies worth in and suggest a replacement now, rather than wait for the 1922 committee to install itself in the second chamber.
Let us vote, online, for one hundred people with whom WE hold in respect and admiration.
And let this chamber have the right to generate legislation that is passed to the commons for consideration.
And let their first meeting be about formalising the rights of every person in this country, which would also encompass the right to have your data dealt with as EU law demands and not as parliament wishes to twist it.
'as EU law demands'
There's the problem right there. You think you can stop law breaking by just passing more laws? What will stop *those* laws being broken too?
The problems isn't with the laws, formal or otherwise. It's with the enforcement.
We already have all these rights in national as well as EU law but because the ICO refuse to take action neither the rights nor the ICO itself have any much relevance in the real world (unless it involves marketing phone calls)
Seriously!?!?!? The EU are advocating Argentina as a safe country to send the data from UK companies? They obviously haven't spoken to many Argentines or they'd know (a) the government of Argentina is unfriendly if not downright hostile to the UK, and (b) the general Argentine populace are equally if not more hostile than their government, and (c) corruption is as endemic in Argentina as it is in the rest of the Latin American states. Frankly, Argentina would definitely not appear on my list of safe countries to send UK data to and is unlikely to for a few decades at least.
The word 'binding' is equally meaningless when the law takes precedence. They can come up with whatever contract they want, but what happens when the law says otherwise?
And if they are so clearly acceptable, why have German regulators suspended any new BCR approvals?
http://www.dataprotectionreport.com/2015/10/german-data-protection-authorities-suspend-bcr-approvals-question-model-clause-transfers/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
