Tag Archives: safe harbor

Update on replacement for Safe Harbor

In 2015, the US Safe Harbor scheme was deemed invalid by the European courts. As a result of this finding, the processing of personal data in the United States e.g. on websites such as SurveyMonkey, Classdojo and Edmodo has likely been in contravention of Principle 8 of the Data Protection Act. Advice from the ICO thus far has been to “watch this space” rather than remove all data from the US, as it was likely a new compliance scheme, between the EU and US, would have to come into effect.

The new US Privacy Shield scheme has now been approved by the EU as a replacement to Safe Harbor. Privacy Shield is another voluntary self-certification scheme where US companies can elect to comply with EU equivalent privacy rules in order to transfer personal data between the EU and US. The US Department of Commerce has been tasked with reviewing self-certifications to ensure compliance and is to maintain a website of US companies which comply with the scheme.

It will now take time for US companies to self-certify themselves and for US Department of Commerce reviews to take place. As yet there are no companies listed on the Department of Commerce Privacy Shield website: https://www.commerce.gov/privacyshield

Going forward, if the Council is to store any personal data in a US-based system, it is important from a Principle 8 compliance perspective that a check is undertaken to ensure the company is Privacy Shield accredited.

For any Council personal data already stored in the United States e.g. on SurveyMonkey, ClassDojo and Edmodo, it is important that we review the forthcoming list of accredited companies to ensure these companies end up on the list. If after a number of months we find that these companies are not self-certifying against Privacy Shield, we may need to consider removing Council personal data from these companies.

Given the UK has voted to leave the EU, there is current uncertainty around how this new EU – US agreement will impact the UK once it leaves the EU. Current thinking would appear to be that the UK is going to have to comply with, or have equivalent law to, GDPR


Safe Harbor











The learning through Technology team are not in any way legally qualified to offer specific advice on the EU Court of Justice ruling. Please contact our Information Security Officer for up to date advice

However, we all have a legal responsibility to ensure we adhere to the principles of the Data Protection Act.

The section Safe Harbor related to was Principle 8
Sending personal data outside the European Economic Area
The Data protection act (DPA) says that :

“Personal data shall not be transferred to a country or territory outside the European Economic Area ( EEA ) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

What happens now the Safe Harbor arrangements are no longer in place

The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject (in our case the data subject would be students and teachers)

But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.

And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.

At time of writing Safe Harbor 2.0 (If this is what it is to be called) currently being drawn up by the EU and US authorities, is already being  questioned.

Google Apps for Education and other Software providers have offered Model Contract Clauses (MCCs) as an alternative compliance option to Safe Harbor for a number of years. These clauses are not directly affected by the European Court’s decision and can be used by customers as an alternative means to legitimise the transfer of data. 

The Department of Education  (Scottish Government recognised) document provides further advice on Cloud services  ( Cloud Service Guide 2015 )

In the specific case of Edmodo, Safe Harbor allowed its use , but with qualifying conditions.

The current terms of service for Edmodo can be found here   https://www.edmodo.com/corporate/terms-of-service

To agree to using Edmodo, ALL of your learners would have had to have parental agreement as detailed below , and you will have kept a signed agreement , renewed annually for every pupil using the service.

“IMPORTANT! If you are not of legal age to form a binding contract (in many places, this is 18 years old), then you must get your parent or guardian to read these terms and agree to them for you, before you use Edmodo or provide any information to us. Please review this agreement with your parent or guardian so that you both understand how Edmodo works and what restrictions apply to your use of our websites and services. Remember, always get an adult’s permission before going online.”

With the demise of the Safe Harbor agreement, I would take a serious look at the terms and conditions, knowing that personal data is being stored outside the EEA, and look to other services such as GLOW to share data with learners and other professionals.

If you are in any doubt , please contact the Information Security Officer at Aberdeenshire Council who will offer more detailed advice.