EU Safe Harbor Decision – Data Transfer Compliance Unchanged
A decision by the European Court of Justice on October 6th determined that the U.S.-EU Safe Harbor program provides inadequate protection for the transfer of European Union data subjects’ personal data to the United States. We take these issues extremely seriously at Seven Bridges. On behalf of clients, we monitor changes in the regulatory environment, and we go to great lengths to ensure that clients can be absolutely certain they comply with the most stringent frameworks.
We’d like to reassure clients and users of the Seven Bridges Platform that, despite this ruling, they may still transfer personal data on our system. For complete details, please see our Compliance White Paper, linked below.
For clients who move EU data to the U.S. using the Seven Bridges Platform, we now use model contract clauses.
The court’s ruling was limited to Safe Harbor and does not disturb the validity of non-Safe-Harbor mechanisms for the protection of extra-EU data transfers. Among these mechanisms are standard contractual clauses (model contract clauses) approved by the European Commission under the authority of Article 26(4) of the EU’s Data Protection Directive.
To ensure that clients continue to meet their EU data protection obligations, Seven Bridges stands ready to include these model contract clauses in any client agreement and to sign on to the clauses as a subprocessor for any clients who are themselves considered data importers. We have already agreed to a Data Processing Addendum which includes the model clauses with Amazon Web Services (AWS), our cloud infrastructure provider, to assure subprocessor compliance.
The model contract clauses impose obligations on both the EU-based data exporter and the extra-EU data importer (in this case, Seven Bridges). Among other stipulations, the data importer is required to do the following: process imported data only as instructed by the controller and in compliance with the model contract clauses; implement agreed-upon security measures; allow the data exporter to audit its data-processing facilities; and ensure any downstream data processors (subprocessors) agree to protective terms at least as stringent as the model contract clauses.
Individual data subjects are able to enforce specific clauses intended to protect their data, a right that extends to the data exporter, the data importer, and any subprocessor. On occasion, the data importer may be compelled by law to disclose data. In this case, the importer is required to inform the exporter of any such data disclosure. The data importer is also required to inform the data exporter of any changes in the law that may have a substantial adverse effect on the importer’s ability to carry out the stipulations of the model contract clauses.
For a thorough explanation of Seven Bridges’ approach to helping clients comply with international regulatory frameworks, please read our Compliance White Paper.
Please feel free to write our Compliance Team any time at privacy@sbgenomics.com.