Data is challenging traditional thoughts about territoriality, jurisdiction and control. The latest broadside comes from the European Court of Justice which has invalidated the long standing ‘Safe Harbor’ agreement that allows US companies to pull data gathered in Europe back to its shores, where there is no protection from mass surveillance.
Safe Harbour is a data sharing agreement set up in 2000 between the European Commission, US and Switzerland, created as a "streamlined and cost-effective" route for US companies to collect data from Europe without breaking any rules. Participation in the Safe Harbor program has been voluntary. Companies in the US have been able to self-certify themselves that they have adequate data privacy measure in place. Up to 4,500 companies have relied on Safe Harbor, and not all are in the technology sector. However, following Edward Snowden’s snooping allegations, the European Court has ruled that Safe Harbor is no longer valid.
Under the Safe Harbor principles “companies were required to inform individuals about the purposes for which it collects information and uses data about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, the choices and means the organization offers individuals for limiting its use and disclosure, and how it is secured”.
A thorn in the industry’s side
The European Court ruling has created a complex and tricky issue that could have big implications for the technology industry. At the same time, users are demanding transparency. They want to know exactly what happens to their personal data during its life cycle.
The majority of large US technology companies participate in Safe Harbor but already share data in other ways, including Binding Corporate Rules and Model Contractual Clauses, both of which allow the international transfer of personal data. Some, such as Microsoft, saw the ruling coming and are prepared. It included compliance with the EU Model Clauses as a standard part of contracts for major cloud services with every customer. Earlier this year, Microsoft also became the first major cloud provider to adopt the world’s first international standard for cloud privacy, ISO 27018.
In addition, Microsoft already has huge data centers in Europe and other heavyweights are planning them. These web-scale business can store data in each country they operate in, although it may have some impact on their sourcing policies for systems hosted in the cloud. Those that have not put in place other ways of transferring data, however, such as global companies with less customers in each market, are leaving themselves open to hefty fines for individual EU states.
The Internet Association, which represents Amazon and Google amongst others, said in a statement: “Internet companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor, but smaller companies and consumers both in the EU as well as in the U.S. could experience significant challenges going forward”.
The US government has been in talks with Europe for over two years to try and finalize a new Safe Harbor agreement. The European Court ruling has put the pressure on. Penny Pritzker, the American secretary of commerce said in a statement she was disappointed with the European ruling, which is not open to appeal, saying it “puts at risk a thriving trans-Atlantic digital economy”.
In the meantime, the negating of Safe Harbor will put national data protection authorities in charge of rulings, so there will undoubtedly be significant regional differences in how this is approached.
And from an industry perspective?
The ruling opens US technology companies with users in Europe to privacy challenges if they have transferred their data to the US. The European Court has not allowed for a transitionary period, which could speed up companies to adopt very strong encryption policies.
Others companies may be forced to restructure their European data processing operations. This would mean huge and expensive changes in the way they manage their data. Whilst large enterprises may have the resources to do this, others may find it very difficult.
And from an enterprise perspective?
Enterprises have been working towards centralization for years and have now been sold the cloud model as the ultimate way to store big data. With the immediate dismantling of Safe Harbor, what do they do next? Firstly, the Brussels EU Executive said it has been working tirelessly with the US Government to come up with a new Safe Harbor, so a ruling may well be in the pipeline. Whilst it is likely to give users more control over the data, it would solve the issue in one swift move.
But in any case, European enterprises should be running IT risk assessment on cloud, so that they know which country there cloud service provider (CSP) is headquartered in and where there data is actually being stored. It is also imperative that enterprises know which jurisdiction covers the contract they have with their CSP and if the contract is terminated how long the CSP stores their data for.
Enterprises can also consider tokenization or encryption of data before it is sent to the cloud. Tokenization replaces sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenization is used to safeguard sensitive personally identifiable information (PII) such as medical records, drivers’ licenses and stock trades. Tokenization is better known for being used in credit card processing. If an enterprise encrypts or tokenizes personal data before it is sent to the cloud and retains the keys on premise, there is no personal data in the cloud service.
One thing is for sure – the data protection vista has changed overnight with the European Court’s ruling. At the core is the user’s right to control their own data. As Brad Smith, president and chief legal officer at Microsoft so succinctly put it: “People won’t use technology they don’t trust. We need to work together to build that trust”.
Jan has been writing about technology for over 22 years for magazines and web sites, including ComputerActive, IQ magazine and Signum. She has been a business correspondent on ComputerWorld in Sydney and covered the channel for Ziff-Davis in New York.