If you’re in the European Union (EU) or European Economic Area (EEA), chances are you’ve heard about the recent news surrounding “Safe Harbor”, a framework established to help organizations comply with data privacy requirements when sending data from the EU to the U.S. This post provides a brief overview of what HubSpot is doing to ensure our EU and EEA customers can continue to use the HubSpot platform while complying with EU Data Privacy regulations.
The Court of Justice of the European Union (the ECJ) put out a decision on October 6, 2015, declaring that the “U.S.-EU Safe Harbor Framework” was no longer a valid way to ensure the “adequacy” of data protection when transferring personal data of EU citizens to the United States. With Safe Harbor crossed off the list, companies sending data between the EU and U.S. were left to look for other options, like “Standard Contractual Clauses” (also known as the Model Clauses) or “Binding Corporate Rules.”
Why was the ECJ considering the validity of Safe Harbor in the first place?
Maximillian Schrems, an Austrian law student, filed a complaint against Facebook with the Irish Data Protection Authority (Maximillian Schrems v. Data Protection Commissioner, Case C-362/14). He argued that, in light of Edward Snowden's revelations on the NSA, Safe Harbor didn’t ensure sufficient protection against surveillance. The case worked its way through the courts until it reached the ECJ, who held that because of the way Safe Harbor was structured, it didn’t meet the requirements for adequate protection needed to send data outside the EU.
That sounds unsettling... What does it mean for HubSpot customers?
We make a point to follow developments around EU data laws, so we had already been hard at work even before the ECJ released its decision in Schrems. To help our customers comply with Article 26(2) and so that our EU customers have a way to make sure their data is adequately protected, we have a Data Processing Annex (DPA) to our Customer Terms of Service, available to all our EU and EEA customers. Our DPA covers transfers of data within the EU or EEA through our Irish entity and incorporates the Model Clauses to cover transfers of data outside the EU or EEA to our U.S. locations. Of course, those interested in the detail of our DPA will want to give it a read, and we’ve made a draft copy available for download. Check our our Legal Stuff page for more on this, or check out the infographic below:
Is use of the Model Clauses a valid approach for data transfer from DACH to the U.S.?
Yep. There are many ways to satisfy the EU requirement that there be an “adequate level of protection” for a data transfer to the U.S. The Model Clauses were issued by the European Commission, who has the power to decide that these pre-written legal clauses offer sufficient safeguards (more here).
What about all the news coming out of the EU since the ECJ’s decision?
This probably won’t come as a big surprise given the widespread interest in Safe Harbor, but since the ECJ’s decision in Schrems, there have been press releases, statements, and opinions left and right. Regulators from the EU and U.S. have agreed in principle on a “Safe Harbor 2.0,” a potential solution to offer similar broad coverage to the original Safe Harbor framework. One German state’s data protection authority (Schleswig Holstein) has even come out with a bold statement on the validity of the model clauses. Despite all these perspectives, ultimately, the ECJ is the only body with the power to overturn a blanket decision of adequacy (like the Model Clauses). The Article 29 Working Party (made up of representatives from the member states’ data protection authorities) has announced that it will spend the time until the end of January 2016 evaluating the Model Clauses and other approaches (such as “Binding Corporate Rules”). It’s generally expected that a reasonable approach will be reached, whether it relies on a blanket framework like Safe Harbor or a contractual solution like the Model Clauses. This is a developing situation and information will likely change but we’re continuing to keep an eye on things that affect HubSpot, so stay tuned.
PLEASE NOTE: This guide has provided information about the law designed to help our readers better understand the legal issues surrounding EU data privacy. But legal information is not the same as legal advice -- the application of law to an individual's specific circumstances. Although we have conducted research to better ensure that our information is accurate and useful, we insist that you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is accurate. To clarify further, you may not rely upon this information as legal advice, nor as a recommendation or endorsement of any particular legal understanding, and you should instead regard this article as intended for entertainment purposes only.