Last updated: 
3 weeks 2 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Safe Harbor at the European Court

Wednesday, October 14, 2015 - 13:45

The European Court's declaration today that the European Commission's fifteen year old decision on the US Safe Harbor scheme is no longer reliable is another recognition that Data Protection requires continuing assessment, rather than one-off decisions. European regulators have been recommending for years that neither data controllers nor companies to which they export data should rely on Safe Harbor certification alone. The U.K. Information Commissioner has published a guide to data controllers on how to assess whether exporting personal data involves unacceptable risks. He considers such assessments an acceptable way to satisfy the export requirements (Principle 8) of the Data Protection Act 1998.

Janet and Jisc have always followed this approach in discussions with cloud providers - not relying on Safe Harbor, but seeking additional contractual and operational measures to protect personal data. We therefore believe that these agreements should continue to be a good basis for customers' risk assessments in whatever regime may follow from today's judgment.

Safe Harbor is already being reviewed by the European Commission and US authorities, with a new legal provision currently awaiting approval from the US Congress. The new Data Protection Regulation, expected to be agreed within the next year, will also alter the legal situation that the Court was considering. With these changes already under way it seems unlikely that the Information Commissioner will expect data controllers to change existing arrangements in the short term - certainly not before his office has had time to review the judgment and its own guidance.

[UPDATE] As information becomes available for each of Jisc's agreements with cloud providers, we'll publish it on the relevant group for each agreement: