Robbed of their Safe Harbor protection, US cloud giants are taking shelter behind a new data-export and privacy fig leaf.
Microsoft and Salesforce have become the first to publicly invoke “model clauses” – saying customers can continue shipping data outside the EU and onto their servers in the US despite Tuesday's ruling by the European Court of Justice striking down Safe Harbor.
More ReadingMicrosoft's CRM chief defects to SalesforceFacebook CTO: Clear legal grounds needed for EU-US data exportsMajor Salesforce discounts. If you renew early ... and bigGoogle swallows your Docs bill from Microsoft, pitches for user familiarityWant to self-certify for Safe Harbor? Never mind EU, YES WE CAN
Model clauses are template agreements from the European Commission that let firms in EU member states send personal data to countries or territories lacking “adequate levels” of protection as defined under the 1998 Data Protection Act.
Unlike Safe Harbour, model clauses put limits on sharing personal data with those involved now open to potential legal action in the event of any breach of the rules.
Salesforce has said it’s now letting European customers update their agreements with a data-processing addendum that inserts the Commission's model clauses.
“In light of the European Court of Justice’s decision on 6 October, 2015, regarding the EU-US Safe Harbor Framework, Salesforce is immediately offering customers a data processing addendum incorporating the European Commission’s standard contractual clauses, commonly referred to as “model clauses,” Salesforce said in a statement here.
The CRM-as-a-service giant follows Microsoft, who on Tuesday told the world that its cloud services already come loaded with the model-clause defense.
Azure Core Services, Office 365, Dynamics CRM and Microsoft Intune all comply with model clauses the software giant said.
Brad Smith, Microsoft president and chief legal officer, blogged following Tuesday’s court ruling that model clauses meant companies in the European Union can continue to transfer data to the US “relying on additional steps and legal safeguards we have put in place".
Microsoft would not be drawn further on the details of its model clauses.
Microsoft, which began introducing model clauses in 2011, saw its implementation receive EC Article 29 Working Party approval in 2014. That’s the Commission working group set up in 1995 working on the movement and protection of personal data. It was created under the Data Protection Directive.
Model contract clauses are already available for Google Apps, too.
That would seem to mean that Gmail, Docs, Spreadsheets another Google collaboration apps are covered. These are pieces of software widely used by UK and European businesses and governments in the handling of their own staff’s details and information relating to their customers or citizens.
Amazon's AWS agreements also incorporate model clauses that have, again, been ratified by the Article 29 Working Party.
Model clauses were created by the Commission as a way to let organisations transfer data to others outside the EU in countries with different data-privacy rules. They predate Safe Harbour, which came into action in 2000.
Under the model clauses, all parties must agree to comply with the data protection standards of the Data Protection Directive in respect of data.
That is, for example, the importer of data can't subcontract that data’s handling without prior written consent of the organisation exporting the data while the data importer is fully liable for the activities of the firm that it sub contracts with.
Both agree to meet requests from “data subjects” to access the personal data and agree they might be sued if damage is caused to data subjects.
Also, the firm importing the data must agree to limit its data processing to that specific area mentioned in a contract and must ensure all its staff adopt appropriate levels of security and received appropriate training.
Anybody proposing to send data outside the EU must first conduct a risk assessment on whether moving the data would “provide an adequate level of protection for the rights of the data subjects". If the assessment find negative, it’s over to model clauses.
It's an added level of bureaucracy and accountability US cloud giants will be reluctant to embrace, and that Safe Harbour neatly sidestepped.
Microsoft's Smith blogged the ECJ decision raised "important points" and makes it "even more important for the European Commission and the US Government to reach agreement on a path forward".
"It also makes clear the need for broader reforms of digital privacy laws around the world to strike a better balance between personal privacy and public safety."®