Date 17/03/2016
Throughout this short commentary, we will be referring to the implications of the sentence for independent professionals, considering that it is a regular occurrence in their roles for them to be using file storage services on servers such as Dropbox, iCloud and Google+, especially for practical and operational purposes, due to their ease of accessibility from any electronic device available.
For the purposes of clarity, said judgment determines that the companies managing these services have servers based in the U.S.A., for which their use promotes the need to carry out an “international data transfer”, and therefore being able to comply with that which is established in the Data Protection Act. In order for international transfers to fulfill regulations, they must be previously authorised by the Spanish Data Protection Agency (AEPD), with the exception of transfers made for countries who possess an agreement confirmed by the European Commission, along with a level of protection comparable to that which exists within Europe.
For quite a while now, and with the aim of safeguarding this work tool, as an exception, the European Commission has been specifically authorising data transfers made to American firms, providing that said transfers adhered to Safe Harbor principles, in such a way that demanding security protocol was established, which ensured the level of protection, comparable to that disclosed by the European regulation.
As is logical, all large providers such as Dropbox, Apple or Google adhered to this system, the reason for which we have been allowed to use their services without infringing upon the legal system in place.
Within this context, the situation appears to have been altered by the judgement passed by the European Court of Justice on 6th October 2015, which has come to annul the Safe Harbor principles, establishing that they do not guarantee compliance, and in some way, are comparable to European legislation on data protection.
The result of the resolution has left users in a situation overcome with illegality; having understood that for an independent professional to be able to continue using said “cloud” servers, found within the U.S.A., from now on they must gain AEPD approval, which, in practice, would require for Google or Dropbox to agree to signing a contract, which includes a similar clause, determined by the European Commission; obviously ensuring that it is beyond the reach of anyone unauthorised.
As a provisional measure, the European Authorities came to a consensus that measures will not be taken against users until, at least, February 2016, offering a reasonable deadline by which to adapt to the new situation, and in the hope that a new Safe Harbor agreement can be reached, which will replace the previous one.
Given such uncertainty, we find ourselves awaiting measures to be adopted by the authorities, either, as of today, the illegality is suppressed, and from our perspective there is no better recommendation than to AVOID using the cloud services provided by these businesses, or rather that we will have to search for a provider which guarantees that data will not be taken beyond the European Economic Area.
Balms Abogados Madrid