Spain, data protection, and safe harbors

Spain seems to have been gripped by a collective psychosis in the five weeks since the Spanish data protection authority, the Agencia Espa?ola de Protección de Datos (Spanish Agency for Data Protection, or AEPD), sent a letter to all companies operating here that have notified it of cross-border data transfers to Safe Harbor certified companies telling them they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States because Safe Harbor certifications are no longer recognized as valid.

In short, the AEPD requires all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to protect personal data transferred to the United States.

Which presumably explains the headline yesterday in a Spanish online newspaper, El Confidencial: “AEPD ultimatum to Spanish companies: use of Dropbox and Google Apps prohibited”

Let’s begin with the AEPD, which has subsequently issued a clarificationdenying El Confidencial’s admittedly sensationalist headline. “The AEPD has not issued any such ultimatum to Spanish companies,” its says, adding: “the Agency’s activities are not directed at prohibiting the use of any specific tools.”

So what’s going on here? It’s certainly true that the United States has lost its status as a safe haven. Little wonder: it has shown itself utterly incapable of guaranteeing the privacy of non-US citizens. I discussed this back in October, and it was obvious there was going to be fallout.

In short, this means we should not have files with clients’ names stored on tools that export this information. Files deposited with the AEPD will be safe within the European Union and should not be exported to US servers.

So, if after January 28, the AEPD is able to prove that you have exported client data to a country not considered a safe haven, you could have a problem.

But it’s a long way from that to “prohibiting” the use of Dropbox and Google Apps. To start with, a lot of companies use them for tasks that have nothing to do with client data. Furthermore, it seems highly unlikely that the AEPD would have the time or resources to try to prove that the documents a company stores in Dropbox or Google Apps contain client information.

At the same time, it is possible to ask these companies?—?in the interest of continuing to use their services?—?to guarantee that our data is stored on European soil. It’s not easy, but not impossible. BBVA, one of Spain’s leading banks, included this in negotiations from the get go. If the likes of Dropbox and Google do run into problems over this, then we can be pretty sure they will take the appropriate measures so as to continue making money from the huge European market.

My advice to Spanish companies unsure of where they stand would be to contact Google and Dropbox, as well as MailChimp and others to ask what they intend to do. Most American companies, if they value their business in Europe, will publish clarifications as soon as possible. If I were an American company doing business in the European Union, I’d definitely take this episode as a proof of how paranoid their European customers are getting on this topic. And if you are a European company, most of all, before you do anything and fall into a status of collective hysteria, wait for “authentic” news coming from AEPD or from the equivalent agency in your country… and don’t believe everything you read in a newspaper!

(En espa?ol, aquí)