Email and the Law

The end of Safe Harbour for email marketing

Tuesday's finding of the European Court with regards the Safe Harbor Scheme (SHS) no longer being recognised as providing adequate protection for data transferred to the USA gives rise to fundamental concerns for email marketing. On these pages we warned of the risks of sending data to the USA well before the access that NSA enjoyed to data was revealed by Edward Snowden, the trigger for this decision. We believed that Data Protection Officers and companies could well be found in breach of the Act despite the SHS.

The Eighth Principal of the Data Protection Act (DPA) states: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

The SHS is, or rather was, accepted by the European Commission as providing adequate protection for the rights of individuals with regards transfer and storage of their personal data, although subject to certain conditions. All rather irrelevant now it would appear.

It is anticipated that the repercussions will be extensive and there is every likelihood they will become greater as time goes by. For companies working across the Atlantic, the days of sharing data using the protection of the SHS are over. Not only that, there are implications as to who is responsible if, for instance, there is a breach of the DPA post this decision.

So what does it mean for those of us who send personal data to the USA?

WizEmail's Sheriff Bot will make sure you are legally compliantThe ICO have published a prompt but less than definitive press release. It reads:

“The judgement means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time to do this.

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgement in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks."

The full release is published here:

One thing of note is that the ICO accepts that any solution to the problem will take some time, so panic is to be avoided. What it does not clarify is the liability of Data Protection Officers who continue to send data to the USA.

Rather unhelpfully, the ICO states that other methods are available, although given that the NSA would appear to have free access to all data held in the USA, one wonders what these alternatives might be. Entering into agreements with individuals regarding sending such data is not a protection. It is an offence to send data where the protection is inadequate. 

The more concerning question is: what does it mean for those of us who have already sent data to the USA?

The simple answer here is no one knows at this time. One could argue that with the decision, any data retained there constitutes an offence, but this could well lead to practical difficulties with regards to penalising a company for complying with advice from bodies such as the ICO. In any case it might well be impossible to recover it without leaving any information in a state in which it is retrievable. 

It is not a comfortable situation. 

It is hoped that the ICO will be more specific with its advice in the near future. Until then it might well be beneficial to devise contingency plans, albeit somewhat flexible ones, in order to allow you to continue trading without data transference or at the very least, to limit it.

There is little doubt that we will be returning to the subject on these pages in the very near future.



30 days full functionality - No credit card required - INSTANT ACCESS