Enthuse - Donor Pulse Summer Report is here. Get the report (on a blue button).

Safe Harbor: what next for fundraisers?

Howard Lake | 2 November 2015 | Blogs

A tsunami by the name of Maximillian Schrems, aided by the European Court of Justice, has washed away the fig leaf that was Safe Harbor.
This is a significant issue for organisations of all sizes, not least cash-strapped charities struggling to maximise the value of their donor and supporter data. The significance stems from what this judgement means for a range of popular tools and technologies used by charities. Tools like Mailchimp, Surveymonkey, Gmail, Raisers Edge, or any number of community management tools that are hosted in the mythical cloud.

What has happened?

The European Court of Justice has ruled that, because of the excessive nature of the mass surveillance systems that operate in the United States, as disclosed by Edward Snowden, and as a result of the lack of judicial redress or other protections equivalent to the rights we enjoy in Europe, the Safe Harbor Agreement between the United States and Europe has been struck down as being invalid. It is invalid because it is incompatible with the fundamental right to Data Privacy that we, as Europeans, enjoy under the EU Charter of Fundamental Rights and the Treaties which underpin the European Union.
As of the 6th of October 2015, any organisation that is sending data to the United States on the basis of Safe Harbor is exporting data out of the European Economic area without a lawful basis and is committing an offence under the Data Protection Act.
Also, the Court of Justice has added further clarification about the obligation a Data Protection Authority in the EU, such as the UK’s Information Commissioner, has to conduct investigations on any complaint.

What was Safe Harbor?

It was an agreement between the EU and the United States Department of Commerce that was entered into fifteen years ago to help facilitate transfers of data between the EU and the US with the advent of the Data Protection Directive 95/46/EC back in 1995. It was a self-certified scheme where US organisations undertook to respect a set of principles for data protection and data privacy that mapped broadly to those in the Data Protection Directive.
Without it, companies such as Google, Facebook, Mailchimp, Surveymonkey, and over 4,000 others, would have found it difficult to do business with companies in the EU.


An introduction to AI for charity professionals by Ross Angus

What’s happening next?

There are a number of other approaches that can be taken to sending data to the United States. One example is Model Clauses, which are standard defined contract clauses that have been ‘preapproved’ by the European Commission. Many US companies are now beginning to offer these to their customers. However, many experts (myself included) are of the view that these clauses are probably subject to the same weaknesses as Safe Harbor, which has been found wanting.
The Article 29 Working Party (the collective grouping of EU Data Protection Authorities) has begun the process of reviewing the impact of the Schrems case judgement on these other mechanisms and have indicated they will take until January to complete this review. Until then, model clauses can be used. However, should any individual complain to a Data Protection Regulator about the operation of model clauses in a given case, then the transfer of data under that particular instance of contract for that particular service provider could be suspended at any time.
The Article 29 Working Party has made it clear in their statement however that, after January, they will begin to investigate and prosecute as required if data is being transferred illegally.

What should you do now?

There are a few key things you need to do now for your charity to protect them and protect your data.
1. Review all the data systems you are using. Everything from email services to donor management services, from marketing platforms to event booking systems, and all ports in between needs to be reviewed. The focus of the review should be on determining if the service provider is transferring data to the United States for processing (including hosting) and on what basis such transfers are taking place.
2. Identify the “critical to operations” systems that you need to have running to keep your charity operating. Given the impact on your operations of these systems suddenly being unavailable to you, use the next month to find an alternative product that keeps data in the EU, or negotiate with your service provider to have the hosting of your data moved to the EU. It is my personal view that Model clauses as result of the structure of the clauses themselves, will not survive scrutiny post Schrems. Your appetite for risk in your charity will be a key issue here.
3. Seek out alternative services if you cannot get assurances that data can be moved to the EU. This may not be as easy as one would like. For basic email, vendors like SensorPro.ie in Ireland and MaiJet.com in France provide bulk and transactional email services with data hosting in the EU. Other ‘niche’ services may not have a direct swap available, so you will need to allow time to research and seek out suppliers. Different cost structures from suppliers may have potential budget implications.
4. Remember that anything in “The Cloud” is almost certainly affected by this ruling. From email, to file sharing, to fundraising, every aspect of your Charity’s operations are potentially affected. Use the coming three months wisely and don’t put these reviews on the long finger!

Who is going to fix this?

The European Commission has been negotiating a Safe Harbor2.0 for a number of years. However, the issues identified in the Schrems case can only be fixed by the United States. Europe’s laws are not at fault here. America has failed to meet a required standard of balance in respecting fundamental rights. Some positive moves are beginning to happen already on the US side, but it will take a long time.
Cloud service providers can fix this by offering you an EU-hosted version of their services, or by moving all their data into the EU for all their customers, and applying EU data protection rules by default.
Finally, EU-based business can help solve this by realising they have wonderful market opportunity to provide Charities, businesses, and individuals, with products and services that match what US businesses have offered, but without the compliance headache of data transfers. And those businesses will pay taxes, generate local employment, and perhaps support local charities.

Useful Links

Really Safe Harbor: an information page set up by a German software company to provide information on tools that keep data in the EU.
Article 29 Working Party statement on the next steps.
Daragh O Brien is the Managing Director of Castlebridge Associates, a Data Protection and Information Governance training and consulting firm based in Ireland. Castlebridge works closely with a number of clients in the not-for-profit sector in Ireland and the UK, as well as working with Public and Private sector organisations in Ireland, the EU, and further afield, either in training and consultancy engagements or through our “virtual Data Protection Officer” service ClouDPO.
Daragh is also Data Protection Officer for DAMA International, a professional organisation with chapters in over 16 countries, an advisor to Digital Rights Ireland, and a lecturer in Data Protection law and practice in the Law Society of Ireland.
Photo: safe harbour by Gutzemburg on Shutterstock.com