Stormy Seas Ahead for Safe Harbor Users
When Europe's top court declared the Safe Harbor data-transfer agreement invalid, it should not have come as a surprise to those who follow the continent's privacy rulings. But now Safe Harbor is out, U.S. technology companies must quickly figure out how to respond or risk damaging relationships with their European and multi-national customers.
Today, about 4,500 U.S. businesses invoke Safe Harbor in their daily operations, the Wall Street Journal estimates. Given growing cloud adoption, increased mergers and acquisitions between U.S. and European companies (especially in verticals such as big pharma), and U.S. enterprises' hunger to expand in regions like Europe, it's logical to predict that figure would only have grown in the coming years.
While the largest companies – Facebook, Microsoft, et al – are reported to have backup plans, smaller startups and service providers that could need local, on-premise datacenters in each European country are now scrambling to figure out how to serve existing customers, never mind expand operations.
"We can’t assume that anything is now safe. ... The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat," said Brian Hengesbaugh, a privacy lawyer with Chicago-based Baker & McKenzie in Chicago who worked on the original agreement, told the New York Times.
While there could be a short grace period to allow cloud service providers and developers to enact backup plans, U.S. businesses cannot wait to act, lawyers said. They can, for example, explore existing alternatives to Safe Harbor such as the EU's Article 29 Working Party's Binding Corporate Rules for trans-Atlantic data transfers or the Union's "model clauses" for contracts. Microsoft, for example, melded several of these steps, it said.
"For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place," wrote Brad Smith, president and chief legal officer, on a company blog. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor."
Data sovereignty will become more critical, said Fred Kost, senior vice president of HyTrust, in a company blog. Enterprises will demand to know where data is stored, who accesses it and where they are based, he wrote. As a result of Safe Harbor's demise, U.S. providers must deliver richer capabilities around data-protection policies and privacy, said Kost.
"This policy should include location-based boundary controls for data protection via encryption and role/location-based access control to ensure that data is only accessed in accordance with the laws and policies of the country in which it is located or originated," he wrote. "The use of cloud and global data sharing has a new problem today and companies are going to have to address the data sovereignty problem and how to enforce policy-based data privacy and protection."
Predictable News
Following Edward Snowden's revelations – ranging from the U.S. (and U.K.) tapping European leaders' phones to the hacking of network backbones – the region's governors considered multiple responses. These ranged from commercial regulation to keeping data within Europe, but none of the approaches addressed mass surveillance by European nationals or even U.S. surveillance, according to the European Council on Foreign Relations.
So when, in September 2015, Advocate General for the EU Court of Justice Yves Bot recommended Safe Harbor should be invalidated, many expected the move. The 15-year-old pact allowed US businesses to self-certify they met European rules that governed the transfer of data related to European citizens to other nations, such as the United States.
"The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data," Bot said in an opinion last month. "[Safe Harbor is] no longer adequate [and] the decision adopted in 2000 was no longer adapted to the reality of the situation."
Related
Managing editor of Enterprise Technology. I've been covering tech and business for many years, for publications such as InformationWeek, Baseline Magazine, and Florida Today. A native Brit and longtime Yankees fan, I live with my husband, daughter, and two cats on the Space Coast in Florida.