By:
Gregory P. Bufithis, Esq.
7 October 2015 – Robbed of their Safe Harbor protection, U.S. cloud giants are taking shelter behind a new data-export and privacy fig leaf. Microsoft and Salesforce have become the first to publicly invoke “model clauses” – saying customers can continue shipping data outside the EU and onto their servers in the US despite Tuesday’s ruling by the European Court of Justice striking down Safe Harbor.
Model clauses were created by the Commission as a way to let organizations transfer data to others outside the EU in countries with different data-privacy rules. They predate Safe Harbor, which came into action in 2000. They are in effect “template agreements” that allow the sending of personal data to countries or territories lacking “adequate levels” of protection as defined under the 1998 Data Protection Act. [ For the EU Commission standards click here. ] Unlike Safe Harbor, model clauses put limits on sharing personal data with those involved now open to potential legal action in the event of any breach of the rules.
Salesforce has said it’s now letting European customers update their agreements with a data-processing addendum that inserts the Commission’s model clauses:
“In light of the European Court of Justice’s decision on 6 October, 2015, regarding the EU-US Safe Harbor Framework, Salesforce is immediately offering customers a data processing addendum incorporating the European Commission’s standard contractual clauses, commonly referred to as “model clauses”.
The CRM-as-a-service giant follows Microsoft, who on Tuesday told the world that its cloud services already come loaded with the model-clause defense. Azure Core Services, Office 365, Dynamics CRM and Microsoft Intune all comply with model clauses the software giant said.
Brad Smith, Microsoft president and chief legal officer, blogged following Tuesday’s court ruling that model clauses meant companies in the European Union can continue to transfer data to the US “relying on additional steps and legal safeguards we have put in place”. Microsoft would not be drawn further on the details of its model clauses. Microsoft, which began introducing model clauses in 2011, saw its implementation receive EC Article 29 Working Party approval in 2014. That’s the Commission working group set up in 1995 working on the movement and protection of personal data. It was created under the Data Protection Directive.
Model contract clauses are already available for Google Apps, too. That would seem to mean that Gmail, Docs, Spreadsheets another Google collaboration apps are covered. These are pieces of software widely used by UK and European businesses and governments in the handling of their own staff’s details and information relating to their customers or citizens.
Amazon’s AWS agreements also incorporate model clauses that have, again, been ratified by the Article 29 Working Party.
Under the model clauses, all parties must agree to comply with the data protection standards of the Data Protection Directive in respect of data. That is, for example, the importer of data can’t subcontract that data’s handling without prior written consent of the organisation exporting the data while the data importer is fully liable for the activities of the firm that it sub contracts with. Both agree to meet requests from “data subjects” to access the personal data and agree they might be sued if damage is caused to data subjects.
Also, the firm importing the data must agree to limit its data processing to that specific area mentioned in a contract and must ensure all its staff adopt appropriate levels of security and received appropriate training.
Anybody proposing to send data outside the EU must first conduct a risk assessment on whether moving the data would “provide an adequate level of protection for the rights of the data subjects”. If the assessment find negative, it’s over to model clauses.
It’s an added level of bureaucracy and accountability U.S. cloud giants will be reluctant to embrace, and that Safe Harbor neatly sidestepped.