Implications of the cancelation of the Safe Harbour agreement
In 1998, the European Union regulated the right to privacy of Europeans on the Internet through the Data Protection Directive of the EU, which in Spain is the Organic Law on the Protection of Personal Data. This legislation requires Internet companies to declare personal data that they store and prohibits exporting such data between countries (except between European countries already governed by the same Directive).
Unlike the United States, other countries were adding to the list of secure laws. Therefore, the transfer of data from American servers was prohibited by default. Given the impact of this situation for American Internet Businesses in Europe, in July of 2000, the European Commission signed the Safe Harbour agreement. Under this agreement, the circulation of personal data between Europe and the United states was permitted as well as its storage with a lower safety requirement than stipulated by European legislation.
The cancelation of the Safe Harbour agreement in October of 2015 has generated many doubts within companies that use online services regarding the current level of compliance of data protection legislation in the European Union.
While the cancelation of the Safe Harbour agreement is an advancement in the protection of personal data, it is bad news for companies that use tools that store such data regularly and now have to set aside time to comply with the new requirements or change supplier.
What is meant by personal data?
Personal data is any information that identifies or merely makes any individual or IP address identifiable (name, surname, address, phone number, vehicle registration, email, photography, video image, etc.).
If the economic activity of a company works with personal data of individuals, the company is obliged to comply with the regulations in force to protect the data. The same consideration does not exist for individuals who are deceased, self-employed, or the contact person of corporations with whom a company has a business relationship with.
Concerning compliance with the Data Protection Act in Spain (LOPD), it is necessary to:
- Notify the Spanish Data Protection Agency (AEPD) of the data files with which a company works with
- Inform those affected at the time of collecting the data what the purpose is for collecting the data and the mechanisms available to exercise their rights (ARCO, Access, Rectification, Cancellation and Opposition)
- Ensure compliance with the duties of secrecy and confidentiality
- Develop a security document setting out the technical and organizational measures that are taken to ensure data protection.
This article is not considered as legal advice