Is harboring eLearning data safe again?

The secure management of learner and client data should be a priority for all teams and companies that deliver eLearning. But adhering to policies and best practices across multiple jurisdictions can be complex. After a recent ruling declared the Safe Harbor Privacy Principles invalid, many LearnUpon customers asked: what now for EU-US personal data transfer? With Safe Harbor not so safe anymore, can I still transfer eLearning data from the EU to the US? In this post, I'll explain what Safe Harbor is and outline the implications of the ruling for the secure management of your eLearning data.

Zero data protection to mass government surveillance

When the Safe Harbor Privacy Principles were introduced, a compromise had to be found between the stringent requirements of ensuring “adequate levels of protection” for personal data within the EU versus unprecedented levels of state surveillance reported within the US. That’s quite the gap to bridge!

The seven principles that were eventually agreed governed the collection, processing, storage and transfer of personal data of EU citizens. Companies within the EU could not legally transfer personal data to a country outside the EU without ensuring adequate levels of protection (even if the definition of what 'adequate' was remained vague).

Safe Harbor provided that assurance. US companies that chose to adhere to the principles could also transfer EU personal data across boundaries.

The Safe Harbor recently came to an end when the European Court of Justice ruled it invalid. A number of weaknesses in the principles made the judgement unsurprising. Safe Harbor was voluntary. US companies that handled EU personal data were not legally bound by its principles.

Safe Harbor also operated on the basis of self-declaration, lacking authoritative oversight or regulation. The ruling on Safe Harbor was made after an Austrian citizen successfully claimed that Facebook (located in Ireland) could not ensure his data was adequately protected once it was transferred to the US, given Edward Snowden’s revelations about mass state surveillance. That was the end of Safe Harbor.

Safer harbors: Privacy Shield

With so many businesses relying on the legal and safe transfer of data from the EU to the US, a replacement needed to be found quickly. And it was. Privacy Shield, which has yet to be ratified, looks set to be that replacement. While it doesn’t change EU data protection obligations, it does offer some big improvements on Safe Harbor, including: greater transparency in US surveillance, oversight of company behavior, and a defined dispute resolution process. Privacy Shield should be much less ambiguous than Safe Harbor.

If I was to be critical of Privacy Shield, I’d argue that it doesn’t go far enough in its definitions of what companies can and cannot do with personal data. If I was cynical, I’d argue that its principles are close to irrelevant anyway (and Safe Harbor certainly was irrelevant). But it is an improvement and sets some expectations about mass state surveillance of sensitive data. As for the impact on certification and compliance, we will have to wait and see what happens once the agreement is ratified.

Even safer, with LearnUpon

Where does LearnUpon fit in with all of this? We host data (both for customers and for our customers’ customers) within the EU and within the US. Nearly all personal data (commonly defined within the EU as personally identifiable information) is stored within the EU, except for some backups or ”at rest” data, which is strongly encrypted when it leaves the EU. That meets our obligations, under Safe Harbor, Privacy Shield, and more importantly to us, Irish data protection laws (which incorporate EU directives). When we’re asked "Are you Safe Harbor?" we say no, because we don’t need to be, and because our own Terms of Service (including our Privacy Policy) are a lot more stringent than Safe Harbor ever was. Privacy Shield won’t change that much, either.

While some government agencies stipulate that their data must be hosted in the US only, many US customers benefit from hosting within the EU, simply because it offers better data protection. Irrespective of certification, LearnUpon is bound by one of the best sets of data protection laws in the world. We’re proud to be! You can rest assured that your sensitive, personal data is well-protected at LearnUpon.

Have a question? Get in touch and we’ll be happy to explain further.

PS: I am not a lawyer, this is not legal advice, and the usual disclaimers apply!

 

 

 

thank you image

Thank you!

Your comment is waiting for approval.