Regarding The US-EU Safe Harbor Framework and Privacy Shield

Update for May 12th, 2016:  We are continuing to observe the situation. The European Commission has released details of the new Privacy Shield Framework designed to heighten protections for transferring European Union residents’ personal data to the U.S. Procedural barriers still inhibit its approval, but it appears thus far to be a viable solution for US companies that need to respond to the invalidation of the Safe Harbor Framework. 

We expect that approval of the Privacy Shield Framework may come as early as June 2016. To that end, we are putting into place the processes and policies necessary to ensure that we can properly comply with all new data protection regulations. Rustici Software is fully committed to ensuring that we are able to protect your privacy and security.

The situation is still fluid, and we await further information from the European Commission and related authorities.   The US Department of Commerce has indicated that it will continue to administer the Safe Harbor program in the interim.

Until the Privacy Shield framework is approved, two alternatives are available:  EU Model Contract Clauses and Binding Corporate Rules (BCRs).  Because of the significant administrative burdens and lengthy approval process of BCRs, many companies have elected to implement Model Contract Clauses in the interim. Rustici Software currently uses Amazon Web Services (AWS) for all data transfers between the EU and US that are affected by the recent ruling.  AWS released a Customer Update on October 9th where they announced that they have fully implemented Model Contract Clauses:

Today, we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data whether they are established in Europe or a global company operating in the EEA. For additional information, please visit AWS EU Data Protection FAQ.

The full text of the AWS advisory is available here.

AWS’ Data Protection whitepaper further describes the effect of the Model Contract Clauses:

On March 6, 2015, the AWS data processing addendum, including the Model Clauses, was approved by the group of EU data protection authorities known as the Article 29 Working Party. This approval means that any AWS customer who requires the Model Clauses can now rely on the AWS data processing addendum as providing sufficient contractual commitments to enable international data flows in accordance with the Directive. For more detail on the approval from the Article 29 Working Party, please visit the Luxembourg Data Protection Authority webpage here: http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html.

It appears that AWS’ implementation of Model Contract Clauses will allow our EU-based clients that utilize our Cloud Services to continue to comply with all relevant laws and regulations.  However, we are currently making a closer examination of these matters to ensure that we are correctly protecting our EU clients’ interests and fully complying with all applicable regulations.

We will update this page and our privacy policy as developments warrant.  If you have any questions or concerns, please contact us via your normal support channel, or send an email directly to our privacy team at safeharbor@scorm.com.

Warm Regards,

Your Friends at Rustici Software