The European Court of Justice has declared the US-EU safe harbour (or 'safe harbor') agreement invalid. This means that it is no longer lawful to send any personal data for processing to the USA, including on major social media sites and popular digital third party tools like email newsletter tools. So, how should fundraisers in the UK respond? What are the practical actions that they and their organisations can take now?
I guess a question to ask is why charities are sending their data to the US in the first place.
In some instances it may be to access data manipulations skills from analysts that reside in the US - global charities may have more analytical resource available to them in the US than the UK. If the issue is around EU data physically leaving the country, can US experts work on the data where it resides in the EU? It is fairly easy to give US data analysts secure access to data servers located in the EU. If data is being sent to the US for manipulation and analysis, then surely this can continue with a few simple changes? The people can go to the data rather than the data to the people.
Lara - it's not so much for data services but other key functions and technical solutions.
-Social Media. Especially Facebook as the one mentioned at the centre of this case. I imagine lots of charities would have a problem if the EU blocked access to that! Although - so would businesses, hence it won't happen soon.
- Cloud-based data management. It can be expensive to maintain data in servers in one's office. Moving to a shared cloud service can very much reduce this (Box, Dropbox, OneDrive, Google Drive/ Photos start at free-of-charge). That's before you take into account other benefits like remote access, integrations.
- Cloud or web-based software that sits on cloud databases. The most famous example of this are Google Mail, Google Apps for Business/ Education, Office 365, HR systems like Success Factors, and the one of the most-used CRMs in the charity world, Salesforce. The appeal of these is often the greater depth of functionality and reliability of service that comes with using a big provider. The big provider in turn wants to keep costs down (and more).
-website hosting. With Google demanding quick access in order uprank for SEO, more and more websites (with associated donation forms and order baskets) are deployed on cloud services like Amazon AWS, Azure and WordPress.com.
- Some large card payment systems, including popular US processors operating in the UK like PayPal and Stripe (along with their payment partners), need personal data to process a card. And then need to store it so a charity can reconcile records.
All of the above are among reasons that a charity might have personal data in the U.S.
Internet applications are so embedded in our lives, that i think it's big work to assess the risk.
In terms of the U.S.-based analyst example, that person is considered a third party processor. So, if they access your data via a login, it would - in total theory - just require US government court order to get those passwords from a U.S. citizen.
This might not seem probable. However, having read the ruling, it reads not to be about the probable but the principle.
I agree, why should the US government have unfettered access to snoop on EU citizens without their knowledge or permission?
There's a lot more to it, Azadi, than I realised, thanks for your insight on the impact to social media and cloud services. I can only comment from a "data for campaign targeting" perspective. If we can't change the situation, all we can do is respond and adapt.
My advice to UK charities working with US owned data providers is to find out where their EU data is stored and processed. Some US data companies like Epsilon have always held EU data in the EU and used EU based analysts (in fact Abacus UK data is stored in Dublin and modelled by analysts in London) but since this adds operating cost, many US data businesses hold and model EU data on their systems in the US under the terms of the safe harbour agreement. More data companies operating in the UK have a link with the US than you might think so with the safe harbour agreement now in tatters, it is probably best to ask the question.
I'll throw one more issue into the pot - the role of cookies in transferring data. Does your charity use a tool whose host serves cookies to EU visitors from the USA? If so, EU data will be being transferred to the US.
There's some more on this at Optanon.
Following Lara's suggestion, maybe the best thing charities and fundraisers could be doing now is investigating how their data is being used, transferred or processed. In most cases this will involve asking the digital service provider - and thinking broadly about whom that might include.
Good suggestion Howard/ Lara re charities assessing current position.
I think even knowing all the places personal data is held - especially including online tools - and their formal position on data security is important and difficult. Some vendors might not even understand the concern!
For a number of these, the systems will be used by many customers and perhaps difficult to get a response from. (Facebook, let's say) Do you think there is opportunity for a crowd-sourced list or wiki?
Ps. If a website has cookies which hold personally identifiable data (I.e. Name, birthdate) rather than tokens, then that is doubly worrying.
While I'm making up digital solutions, would be worth an organisation having a tool that perhaps automatically combines a cookie risk assessment with a wiki that rates riskiness of vendor. Maybe a good hackathon thing ?
Good suggestions Azadi. I feel this is going to need input from a variety of informed sources, regulators, tech companies, lawyers and professional bodies, far beyond the charity sector.
I think many people have no idea where their personal data is held and not until something goes wrong do many people care.
They are expecting the companies collecting it, to take good care of it.
However the speed of the annoucement that Safe-Harbors were no longer suitable, to implemntation, eg 1 day didn't allow much time for organisations to make alterntive arrangements
Safe-Harbor agreements came into being in the last Century.
It was a simplier time.
We live in a significantly more complicated, global society, so I believe an alternative to the old Safe-Harbor agreement is needed.
Hopefully a new version will not take as long to be agreed as the EU Data Directive
I've also reviewed some of the Snowden materials which suggests some significant sharing of information between UK and US security agencies and that the UK system plays a key part in scrutinising all material.
EU Court of Justice rulings and Safe Harbours and and individual agreement between a company and a data controller ( to use the data protection act term - Data Protection Act 1998) not withstanding, if those agencies wish to move data from UK to US they will
So I'm wondering if the EU Court of Justice ruling will change only unimportant data movement and storage and not prevent the sharing of important sensitive material?
Mags Rivett at Purple Vision has published a useful guide on what to do in EU/US Safe Harbor ruling and what it means for you.
Some practical advice is available for Salesforce users, which she links to.
For other digital services they recommend waiting until you're contacted by the provider with their advice, and explore how data is used.
A bit late to the conversation, but in a straw poll of about 12 trustees at a breakfast meeting I attended this morning, none of them knew about it, and all were concerned once they understood what it meant.
So what can be done?
It's almost impossible these days for a consumer to control where their personal data is held, other than living off the grid entirely.
Is it possible for a charity to guarantee their donors' privacy by choosing EU-based platforms (like Donorfy)? It's a start, but the nature of the cloud and its integratability (sorry!) is that it blurs borders, so vendors need to make it clearer where they store data and what they do with it to allow charities to make an informed choice.
Can the American vendors make their own guarantees about data privacy? Maybe, and it will be good PR, but can they hold out against US government demands for data?
As a sector this has the potential to be another unwanted headline - "charity not taking care of donor data shocker", and I think the sector as a whole would have limited influence over and above a best practice.
So I think it's only the governments and the EU who have the clout to act in order to protect the privacy of their own people. Bring it on!