The European Court of Justice has declared the US-EU safe harbour (or 'safe harbor') agreement invalid. This means that it is no longer lawful to send any personal data for processing to the USA, including on major social media sites and popular digital third party tools like email newsletter tools. So, how should fundraisers in the UK respond? What are the practical actions that they and their organisations can take now?

Thanks for inviting us to chat Howard! 

Before we kick-off on opinions, this article is a super guide to ruling:

As I said to Howard I am wondering if this applies to "cloud based" fundraising databases such as one version of Raisers Edge where data is stored in the US of A ?
Hi Andy -
Ah... Raiser's Edge. Disclosure for the thread - I used to be Product Manager for Raiser's Edge outside of the US, and so privacy concerns in Europe, Canada and more have been important to me for some time. 

To answer your question from my non-legal but reasonably-informed perspective: 

It does apply to "cloud-based" solutions on US soil, be they fundraising (either web-based or hosted versions of classic software), email (Office 365, gmail) CRM or data management (such as Dropbox, salesforce, Dynamics CRM) and even UK classic software using cloud hosting (Amazon Web Services, Azure).

Safe Harbor was a scheme that American companies could sign up to so that customers would be guaranteed that their data would be treated as-if part of the EEA. The guarantee is basically underwritten in an EEA-US trade agreement dating from 2000, and it is that agreement which has been reviewed by the EU Court of Justice. 

What the EU Court of Justice said is "national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements."  
Basically, thanks to Edward Snowden's revelations,  you can't trust what will happen to data on US soil.

They consider the ruling to cover "storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made.
Basically, any data at all, no matter what the access is.

A fundraising database supplier might not be processing data, but instead just storing it.  In UK data protection terms, that might be a discussion point. However, what the Court of Justice have said is why the data is being held would mean nothing as the US government could access that data if they wanted! The US government does have a habit of taking data. Hence the ruling. 

However, from the vendor's perspective, they'll be disappointed now too. Let's take at face value that they wanted to sign up to Safe Harbor, and put in place the security regime to support that. They saw Safe Harbor as a scheme supported by the government to aid them in trading internationally, and so that they don't have to draw up lengthy privacy contracts (“model contract clauses”) themselves. 

So these companies - many of them, including fundraising software vendors, credit card processors and so on - will have to bring in lawyers to replicate Safe-Harbor like agreements. That or using what little lobbying power they have petition the US govt sign-up to adhering to better international data standards.  

Back to Andy's question: I think what is less clear is what the ruling mandates with regards to data on EEA soil that is managed by a US company (Salesforce is used in more charities than any fundraising software), or that passes through US servers (LOTS of the internet is built on Amazon Web Services, Azure).  Big post so far, so will leave this point for later...

I guess a question to ask is why charities are sending their data to the US in the first place.

In some instances it may be to access data manipulations skills from analysts that reside in the US - global charities may have more analytical resource available to them in the US than the UK. If the issue is around EU data physically leaving the country, can US experts work on the data where it resides in the EU? It is fairly easy to give US data analysts secure access to data servers located in the EU. If data is being sent to the US for manipulation and analysis, then surely this can continue with a few simple changes? The people can go to the data rather than the data to the people.  

Lara - it's not so much for data services but other key functions and technical solutions. 


-Social Media. Especially Facebook as the one mentioned at the centre of this case. I imagine lots of charities would have a problem if the EU blocked access to that! Although  - so would businesses, hence it won't happen soon. 

- Cloud-based data management. It can be expensive to maintain data in servers in one's office. Moving to a shared cloud service can very much reduce this (Box, Dropbox, OneDrive, Google Drive/ Photos start at free-of-charge). That's before you take into account other benefits like remote access, integrations. 

- Cloud or web-based software that sits on cloud databases. The most famous example of this are Google Mail, Google Apps for Business/ Education, Office 365, HR systems like Success Factors, and the one of the most-used CRMs in the charity world, Salesforce. The appeal of these is often the greater depth of functionality and reliability of service that comes with using a big provider. The big provider in turn wants to keep costs down (and more). 

-website hosting. With Google demanding quick access in order uprank for SEO, more and more websites (with associated donation forms and order baskets) are deployed on cloud services like Amazon AWS, Azure and 

- Some large card payment systems, including popular US processors operating in the UK like PayPal and Stripe (along with their payment partners), need personal data to process a card. And then need to store it so a charity can reconcile records. 

All of the above are among reasons that a charity might have personal data in the U.S. 

Internet applications are so embedded in our lives, that i think it's big work to assess the risk. 

In terms of the U.S.-based analyst example, that person is considered a third party processor. So, if they access your data via a login, it would - in total theory - just require US government court order to get those passwords from a U.S. citizen.  

This might not seem probable. However, having read the ruling, it reads not to be about the probable but the principle. 

After a couple of probably too-long posts, what do you folks think about the ruling?

I like that there is at least an attempt from the EU to stand up for our rights on privacy!
Absolutely - as a donor I do not want my data spread all over the US of A etc!

I agree, why should the US government have unfettered access to snoop on EU citizens without their knowledge or permission?

There's a lot more to it, Azadi, than I realised, thanks for your insight on the impact to social media and cloud services. I can only comment from a "data for campaign targeting" perspective. If we can't change the situation, all we can do is respond and adapt. 

My advice to UK charities working with US owned data providers is to find out where their EU data is stored and processed. Some US data companies like Epsilon have always held EU data in the EU and used EU based analysts (in fact Abacus UK data is stored in Dublin and modelled by analysts in London) but since this adds operating cost, many US data businesses hold and model EU data on their systems in the US under the terms of the safe harbour agreement.  More data companies operating in the UK have a link with the US than you might think so with the safe harbour agreement now in tatters, it is probably best to ask the question. 

I'll throw one more issue into the pot - the role of cookies in transferring data. Does your charity use a tool whose host serves cookies to EU visitors from the USA? If so, EU data will be being transferred to the US.

There's some more on this at Optanon.

Following Lara's suggestion, maybe the best thing charities and fundraisers could be doing now is investigating how their data is being used, transferred or processed. In most cases this will involve asking the digital service provider - and thinking broadly about whom that might include.

Good suggestion Howard/ Lara re charities assessing current position. 

I think even knowing all the places personal data is held - especially including online tools - and their formal position on data security is important and difficult. Some vendors might not even understand the concern! 

For a number of these, the systems will be used by many customers and perhaps difficult to get a response from. (Facebook, let's say) Do you think there is opportunity for a crowd-sourced list or wiki?

Ps. If a website has cookies which hold personally identifiable data (I.e. Name, birthdate) rather than tokens, then that is doubly worrying. 

While I'm making up digital solutions, would be worth an organisation having a tool that perhaps automatically combines a cookie risk assessment with a wiki that rates riskiness of vendor. Maybe a good hackathon thing ?

Me again. These reason I throw around these kinds of suggestions is that alas I don't think the solution is as easy as "don't use the U.S. for data management."  Could any of us tomorrow give up Facebook, LinkedIn, Twitter etc and search for EEA equivalent alternatives? And move our social accounts let alone our businesses across?

Ever the optimist, I feel there is an opportunity for [good] American companies to come out shining.  

The saddest thing I read was how some U.S. Safe Harbor negotiators felt that this announcement might delay a re-negotiating of Safe Harbor that customers could continue to sign-up for and let their donors have their data on.

 Or maybe a market-led mechanism would help? Like the five-star food rating maybe we should start rating suppliers for their data privacy standards?  I'd immediately give zero stars to every organisation that sent me my password in an unencrypted email!!

Good suggestions Azadi. I feel this is going to need input from a variety of informed sources, regulators, tech companies, lawyers and professional bodies, far beyond the charity sector.

True Howard. This is big. And important for the population at large to get resolved.  

It's also a difficult problem. I have my data on all sorts of US sites because I've had to in order to get something done. Would be great if that were easier for charities and consumers!

I think many people have no idea where their personal data is held and not until something goes wrong do many people care.

They are expecting the companies collecting it, to take good care of it.

However the speed of the annoucement that Safe-Harbors were no longer suitable, to implemntation, eg 1 day didn't allow much time for organisations to make alterntive arrangements

Safe-Harbor agreements came into being in the last Century.

It was a simplier time.

We live in a significantly more complicated, global society, so I believe an alternative to the old Safe-Harbor agreement is needed.

Hopefully a new version will not take as long to be agreed as the EU Data Directive

I've now had a chance  to look at the EU Court of Justice ruling  about storing EU data in the US and it covering "storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made."

I've also reviewed some of the Snowden materials which suggests some significant sharing of information between UK and US security agencies and that the UK system plays a key part in scrutinising all  material.

EU Court of Justice rulings and Safe Harbours and and individual agreement between a company and a data controller ( to use the data protection act term - Data Protection Act 1998) not withstanding, if those agencies wish to move data from UK to US they will

So I'm wondering if the EU Court of Justice ruling will change only unimportant data movement and storage and not prevent the sharing of important sensitive material?

Mags Rivett at Purple Vision has published a useful guide on what to do in EU/US Safe Harbor ruling and what it means for you.

Some practical advice is available for Salesforce users, which she links to.

For other digital services they recommend waiting until you're contacted by the provider with their advice, and explore how data is used.

A bit late to the conversation, but in a straw poll of about 12 trustees at a breakfast meeting I attended this morning, none of them knew about it, and all were concerned once they understood what it meant.

So what can be done?

It's almost impossible these days for a consumer to control where their personal data is held, other than living off the grid entirely.

Is it possible for a charity to guarantee their donors' privacy by choosing EU-based platforms (like Donorfy)? It's a start, but the nature of the cloud and its integratability (sorry!) is that it blurs  borders, so vendors need to make it clearer where they store data and what they do with it to allow charities to make an informed choice.

Can the American vendors make their own guarantees about data privacy? Maybe, and it will be good PR, but can they hold out against US government demands for data?

As a sector this has the potential to be another unwanted headline - "charity not taking care of donor data shocker", and I think the sector as a whole would have limited influence over and above a best practice.

So I think it's only the governments and the EU who have the clout to act in order to protect the privacy of their own people. Bring it on!