In a case brought against Facebook by an Austrian citizen, Max Schrems, it has said that the Safe Harbor arrangements do not provide adequate protection for the privacy of EU citizens.
This case will have a significant impact in the UK. It affects not only those with US operations or joint ventures, but all organisations that use outsourced services using US-based servers. This may include payroll administration, CRM systems, cloud storage, email and website services (eg, online booking) and certain outsourced marketing services.
What does this mean for further education (FE) colleges in the UK?
The consequence of the ruling is that colleges that currently rely on the Safe Harbor provision will need to review how they ensure that they transfer data to the US in line with the law in the UK. In light of the ECJ ruling, many will now be operating in breach of the Data Protection Act.
The Information Commissioner's Office has indicated in its initial response that it recognises that it will take some time for organisations to carry out those reviews and put new systems in place. That is welcome since it means that there is no immediate threat of enforcement action for non-compliance in this respect.
However, if your college transfers personal data to the US, including by using such tools as Google Drive, Microsoft 365 or other cloud storage, we strongly recommend that you review your position as a matter of some urgency.