Safe Harbor Ruling – Is the Sky Falling?
The European Court of Justice, the EU’s highest court, recently ruled that the EU – US Safe Harbor Framework can no longer be used as a standard to meet personal data transfer, storage, and sharing requirements from the EU to the U.S. Here’s a copy of the Court’s press release which articulates the ruling. Essentially the judgement opens U.S. Internet businesses with users in Europe to privacy challenges if they are processing EU data in the U.S.
According to a story by Stephanie Bodine in Bloomberg Business, Max Schrems, 28, an Austrian student, triggered the case with a complaint he filed in 2013 in Ireland. He was opposed to Facebook data on European users being transferred to the U.S. because of Facebook’s alleged collaboration with the NSA’s Prism program. The case ended up in an Irish court, which in 2014 referred a number of questions to the European Court of Justice, the EU’s highest court, whose October 6, 2015 ruling is binding.
The question is whether or not the sky is falling, as many stories would have one believe. In the Bloomberg Business story for instance, an attorney for Covington & Burling LLP in Brussels was quoted saying the ruling “pulled the rug under the feet of thousands of companies.”
Not so fast. As the dust begins to settle it may not be as dire as initially prescribed. On the negative side of the equation is the realization pointed out by Scott Semel, EVP and General Counsel, Intralinks in a VentureBeat article that some companies might be unaware of violations especially if they rely on cloud-based services where data can be stored in any number of locations and by any number of subcontractors. On the positive side, many companies have adopted alternatives to Safe Harbor including EU Model Contract Clauses and Binding corporate rules. A downside for Binding corporate rules is that they require a potentially lengthy approval process by EU regulators.
What about Cloud Service Providers (CSPs)? Brad Smith, Microsoft President and Chief Legal Officer stated in a blog post that if companies are using their cloud services, they’ve already taken steps to be compliant with the EU Model Clauses. He states:
“…for Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.”
So that’s good news.
Have other CSPs taken the same steps that Microsoft has, anticipating a negative ruling by the Court of Justice? Of course. They likely anticipated this ruling as well.
As mentioned by Trevor Jones in a TechTarget SearchSecurity article, “Microsoft and Amazon each put out statements saying the ruling will not affect their customers’ data, citing approval from EU data protection authorities for their specific agreements and compliance with EU Model Clauses.” No doubt other CSPs will follow with their own statements, and they’ll want to, as none of these firms will risk losing business to other better prepared vendors.
What else is being done? Brad Smith of Microsoft stated that “there are also steps that can be taken quickly in the U.S., such as passing the Electronic Communications Privacy Act Amendment Act of 2015 (ECPA Amendments Act), the Law Enforcement Access to Data Stored Abroad (LEADS Act), and the Judicial Redress Act. These would all help.” Passing these Acts would provide the EU with a greater level of confidence that the U.S. is serious about privacy issues.
The fact is that most companies understand, especially now, that the EU is really sensitive about the transfer, storage and sharing of personal data. And with reasonable effort, there are ways to comply without the benefit of the Safe Harbor framework. More important, securing EU data makes good business sense.
The elephant in the room is that cybercriminals don’t care about whether the harbor is safe or not. Rather than worry about the NSA’s use of private data, the focus, in this author’s view, ought to be on putting improved security initiatives in place to protect data from criminal activity. Ultimately, customers want to trust that you take their security seriously.
Learn more about Cryptzone’s solutions to help safeguard systems that harbor customer data.