Coroners and Justice Bill
Joel Harrison
ukcrypto at chiark.greenend.org.uk
Mon, 2 Feb 2009 13:00:46 +0000
On Mon, Feb 2, 2009 at 11:13 AM, Richard Clayton <richard@highwayman.com> wrote:
> Although US law does _not_ provide sufficient protection, the US "safe
> harbour" arrangements are acceptable (this is almost certainly the basis
> on which the data was transferred to Omaha)
>
> http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list
Actually, the Safe Harbor is often relied upon incorrectly in this
context. The Safe Harbor applies only to transfers from a data
controller based in the EU to another data controller based in the US.
It cannot apply to transfers from an EU data controller to a US data
processor. The reason is that the Safe Harbor requires participants
to give a number of undertakings that a mere processor - which is
obliged to act only on the instructions of its appointing controller -
is not competent to give.
Joel