The Safe Harbor framework has been declared unsafe by the European Union (EU) and became invalid on 6 October, 2015. Since then, in essence, any European company has a greater responsibility to ensure that data transferred to a US-based service will be secured to European standards. It also means all customers or employees must also be made aware of the situation and give their consent.
Since the EU decision in 2000, Safe Harbor has been a mainstay in cloud agreements with American online services suppliers. As long as the supplier guaranteed high standards of security, data could be moved freely across the Atlantic for storage and retrieval. Now this has gone, services users and resellers have to re-evaluate.
The validity of Safe Harbor was not the intended target when Austrian privacy activist Max Schrems originally alleged Facebook Ireland was making personal data available to US intelligence agencies through its American parent company. He asked the Irish Data Privacy Commissioner to investigate his claims but the DPC declared there was no case to answer. Unsatisfied, Schrems challenged the findings in the High Court of Ireland – and that is when the trouble started.
During its deliberations, the High Court referred a question about Safe Harbor to the Court of Justice of the European Union (CJEU) for clarification. This resulted in basic tenets of the security policy being examined and found wanting. The ultimate CJEU judgement declared the Safe Harbour framework invalid.
Schrems’ allegations have been referred back to the Irish DPC and the case continues but, with Facebook denying any wrongdoing, the action may only be remembered for its serious collateral effects.
The torpedoing of Safe Harbor has not only sunk a core assurance of panatlantic deals but also blasted a hole in existing and future data storage agreements. At the moment there is a grace period which runs out in January, 2016, and the and US authorities are trying to agree a “Safe Harbor 2.0” framework.
The deeper question is one of trust. In a world where national security organisations are keen to access information on each other as much as learning about potential terrorist threats, governments are being asked to consider passing laws that delve deeper into personal and private data, labelled by privacy advocates as “Snoopers’ Charters”.
The European court declared the framework invalid for several reasons: the US government can bypass or interfere with any protection provided; US laws do not provide legal remedies for individuals who wish to access data previously supplied on platforms, such as social media, or have it erased or amended; the framework prevents national supervisory authorities from exercising their powers. All of these issues should be addressed by the new version of Safe Harbor but legal change can take time or may not be acceptable to the American authorities.
Key sticking points will be the Prism and the Patriot Act. Even in their home country these Acts are controversial because they concern access to stored data for anti-terrorism and criminal investigations. Their powers are wide-ranging but the fact they are executed under a thick blanket of security means that even the US government may not be fully aware of the extent to which they are being interpreted by the National Security Agency.
That they potentially allow access to US datacentres at home and abroad has led to European concerns for the security of its own citizens that choose to use US services. Rumours and accusations have been thrown around that the likes of Microsoft, Facebook, Google and Dropbox have allowed open backdoor access to their systems have been strongly denied in statements from each company but privacy activists are not convinced that gagging orders prevent them from saying otherwise. It is a world of paranoia but the bottom line is that there is no trust between governments in the digital surveillance world.
The crunch is that, under EU law, data-sharing with countries deemed to have lower privacy standards are prohibited without special measures – and this includes the US. Sharing was only possible through the Safe Harbor agreement and, failing agreement on a new framework will mean more expensive and time-consuming methods will have to be adopted.
The good news is that the version 2.0 talks are progressing optimistically. At their onset, US Under Secretary Catherine Novelli stated that agreement would be “just weeks away” but weeks have gone by and talks are still in progress, making a January deadline seem optimistic.
In the meantime, companies using, incorporating or reselling any of the 4,400 services that have self-certified under the original Safe Harbor agreement will have to consider their options. A useful resource to find the status of US companies can be found at the Export.gov website.
At the moment the Information Commissioner’s Office (ICO) is preparing an advisory but it has stated: “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.”
US companies such as Microsoft, Facebook, Amazon, Salesforce and, more recently, NetSuite have opened European datacentres to offset concerns about data sovereignty. These white, fluffy clouds could be darkened by the outcome of a long-running Microsoft appeal against a US order to hand over emails stored in Ireland. There are also issues about target sites for data centre backup systems which could see information being surreptitiously moved to the US.
Stephen Attree, managing partner and head of corporate and business services at MLP Law, comments: “What does this mean for businesses in terms of storing their data in the future? It is often seen as normal business practice to turn straight to cloud services provided by Google, Amazon and Microsoft for company intranets and business administration. So for those businesses that were using the treaty for legitimate reasons, such as to share staff data via cloud services, or because it’s cheaper to keep data on servers in the US, now is the time to review other methods that enable data storage and transfer.”
The ICO has previously issued advice which offers alternatives to Safe Harbor and companies concerned about how the judgement will affect them should check hosting provider agreements to ascertain how they may be affected. Employment contracts or business contract terms and conditions should be upgraded to gain the explicit consent of employees, customers, and suppliers on how data will be stored in future.
Every company should analyse their current use of US cloud services to prune out unnecessary services and to seek out European alternatives. Where this is not possible, personal data transfers could take place under an alternative legal basis. Possible alternatives may include use of the ICO’s model contractual clauses which offers advice for data transfers outside the Safe Harbor framework.
Analysis also needs to take into account any third parties that may receive personal data as a result of using a US services supplier through “onward transfer” agreements.
Most of all, funds will need to be set aside to cover the extra costs that will inevitably follow the outcome of the Safe Harbor talks.
The sudden outlawing of Safe Harbor has thrown confusion into the marketplaces and any advice can only be speculative until Safe Harbor 2.0 appears. The only lesson to emerge is the bland one that frameworks of convenience are no substitute for circumspect diligence when it comes to ensuring data security.
