Commission confirms legality of storing EU customer data in US
LONDON - The European Commission has confirmed that it is legal under EU data protection law to store customer data in the US - as long as a Safe Harbor certification is in place.
The confirmation was part of a commission clarification of which non-EU countries have "adequate" standards for EU businesses to export and store their data.
European organisations and companies have been concerned about the US's Patriot Act, which grants federal officials the right to inspect any data stored in the US if it relates to a national security investigation.
If customer data emanating from the EU was investigated in this way, it would contradict the EU's Data Protection Directive, prohibiting organisations from passing on that data without the customer's consent.
Keen to encourage electronic marketing between the US and the EU, US authorities devised the Safe Harbor regime with the EU. US companies that sign up to Safe Harbor agree to comply with European electronic data protection standards.
Companies that have signed up to Safe Harbor include Microsoft, Apple, IBM, Adobe and Amazon.
Phil Lee, senior solicitor at Osbourne Clarke's data privacy team, said that the issue is not simply with the Patriot Act but that the concern was that "companies within the EU could collect personal data about individuals and export this data to countries outside of the EU having lesser standards of data protection, using this as a means to circumvent EU data/protection requirements".
Safe Harbor is a voluntary compliance route so if a US company chooses not to use Safe Harbor it can still import personal data if it uses another compliance route, such as a data transfer agreement on the European Commission's standard terms.
EU: listed countries safe to export data to
Comments