Safe Harbor - Model Contract Clauses for EU - US data export and processing
09 Oct 2015
I'm already starting to see "model clause" addendums coming out to allow EU companies to continue to use US-based partners, CRM solutions and other data services.
The standard model clauses which I have seen place the onus of responsibility, and liability, on the exporter (i.e. you) to make it easier for the data subject to obtain redress should there be a data breach or a misuse of the data.
If you want to sign a model contract like this with a US-based partner or supplier you should probably take legal advice first.
At the very least you must understand the liability you are accepting and as such you must perform a data protection audit which documents the types of data being exported, what processing is to be carried out, the information security processes of the partner and a full list of the partners which they use for sub-contracting data processing or storage.
This should also be carried out for EU-based cloud providers who transfer backups, login details, support details, etc outside of the EU.
Read this for the ICO's current guidance: https://iapp.org/news/a/icos-graham-dont-panic
And to follow on from this, now my own EU cloud provider has just emailed me to say that they transfer data to the US, so I need to sign a new contract absolving them of any blame should they or their partners cause a data breach!
Emarsys UK Ltd
Head of Deliverability