It’s an understatement to say that information security has risen up people’s agenda. It’s screaming at us now. Apple are battling it out with the FBI over the order for them to unlock the San Bernardino killer’s iPhone. The EU courts have declared the Safe Harbor provisions allowing a mechanism for data to be transferred to the US to be invalid. The European Commission have come up with a replacement which it calls Privacy Shield, but nobody really thinks it’s an answer. It could lead to an answer, but once it is fleshed out it is likely to be challenged again.
We’ve been working with one of our software-company clients with a product hosted in the UK but potentially accessed for support purposes from different places (outside the European Economic Area). We’ve had to analyse whether support would or could lead to data being transferred outside the EEA, and if so what provisions need to be in place to allow that. Even if the data is hosted in the UK, the fact of it being viewed on screen outside the EEA would qualify as transfer. Of course it’s really the product rather than the data which would be the purpose of the support, but there is a possibility of incidentally ”touching” some personal data. Either there have to be agreements in place to allow for the transfer of data, using approved model clauses, or there need to be technical safeguards to prevent access.
So information security, data protection, privacy, big data – and so it goes on; a massive, exploding area. We’re going to be looking at this at an event with our friends at the Agenci as part of Leeds Digital festival http://www.leedsdigitalfestival.org/city/leeds/event/information-security-or-the-alternative/ on 28th April – details on the site. We expect the story will have moved on further by then, too.
Written by Paul Berwin or Berwins Solicitors.