An Unsafe Harbor
Initially, she thought it was spam. Someone was sending Vidhya Ranganathan, senior vice president of products for Accellion, a seemingly malicious link via e-mail claiming that the Safe Harbor agreement between the United States and the European Union (EU) was invalid—and she wasn’t going to click on it. But then she realized it was from Reuters, and knew it was legitimate. She was shocked.
“The writing was on the wall that it had to come,” Ranganathan tells Security Management a few weeks after the agreement was struck down. Safe Harbor “was so outdated. It was written in 2000…no one even thought that Safe Harbor was going to be what it is today.”
The Safe Harbor agreement was designed to allow private companies to comply with the EU Data Protection Directive. This directive allows personal data to be transferred out of the EU to another country, but only if that country ensures an adequate level of data protection, such as through domestic law or international commitments. It also requires EU member states to designate one or more public authorities to monitor the application within their territory to ensure data protection.
Safe Harbor was the international commitment that the United States and the EU used to allow companies to move people’s digital data—including personnel data—between the two. Companies went through a complex process to self-certify that their data practices were equivalent to the protections required under the Data Protection Directive.
However, companies’ abilities to protect EU citizens’ data came under scrutiny after former National Security Agency contractor Edward Snowden leaked information to the media detailing U.S. government surveillance practices that were initiated after 9-11—after Safe Harbor was created.
Last October, in a case initiated by Austrian Maximillian Schrems, the EU’s highest court ruled that Safe Harbor was invalid because U.S. public authorities were not subject to it. The agreement enables limitless interference with citizens’ privacy rights by the U.S. government, according to the decision.
“The United States Safe Harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons and the commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference,” the court explained.
As Ranganathan says, the writing was officially on the wall. So what does the ruling mean for companies using Safe Harbor? And if it’s no longer valid, what will replace it to allow companies to transfer data between the EU and the United States?
When the ruling came down, it came with a grace period through the end of January 2016 to allow the United States and the EU to negotiate an alternative to the original Safe Harbor. As of Security Management’s press time, no new agreement had been reached.
In the meantime, “businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks…” according to a statement released by the Article 29 Working Party.
The Article 29 Working Party—which refers to the provision in the 1995 EU Data Protection Directive that created it—is an independent advisory body on data protection and privacy made up of representatives from the national data protection authorities of the EU member states, the European data protection supervisor, and the European Commission. In the aftermath of the Schrems ruling, it was tasked with discussing the consequences of the ruling and to find an alternative solution to data transfer with the United States.
“If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” the statement explained. These enforcement actions could range from stiff fines to lawsuits.
With that window, the United States and the EU began considering 13 European Commission recommendations—11 of which were agreed to in November, says John Isaza, head of the information governance and records management practice at Rimon, a law firm specializing in high tech.
“At first glance, that sounds really promising,” he explains. “However the two remaining issues that are unresolved deal with the issue of access of U.S. authorities to the transferred data.”
This is why Isaza thinks Safe Harbor is a political issue, because the Europeans are “very suspicious of the U.S. authorities going in to a sort of blanket agreement to be able to access private data from private organizations,” he says.
And the working group has made it clear that blanket surveillance will not be tolerated because it is “incompatible with the EU legal framework,” according to a statement. “Transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations...”
This statement touches on a part of the EU high court’s ruling that is especially important, the principle of onward transfer, says Ann LaFrance, partner and coleader of the Data Privacy and Cybersecurity Practice at the law firm of Squire Patton Boggs.
LaFrance describes onward transfer as the practice of a cloud provider storing information in the United States that was sent to it from Europe that might then be accessed by the U.S. federal government without Europe’s permission or knowledge.
“When a national security authority from the United States, without a warrant—or what Europeans might consider adequate safeguards—can just access the data as used to be the case arguably under the Patriot Act regime, that is one of the concerns about adequate protection that the Snowden revelations made everybody very worried, about the scope and extent to which U.S. authorities had access to anybody’s data that was stored in the United States, or was being processed in the United States,” LaFrance explains.
The USA Freedom Act, which was enacted by Congress in 2015, did impose some restrictions on the ability of law enforcement and national security authorities to access anyone’s data in the United States on suspicion of terrorism or crime. However, LaFrance says the “real question will be whether that law has sufficient safeguards” to give the EU the impression that there is adequate protection of citizens’ data. As part of the Schrems decision, the Irish data protection commissioner will be looking into this issue, and the working party will be following the progress.
Another major concern that emerged out of the Schrems decision is the lack of recourse that EU citizens have in the United States if the government does access their information. “Currently, they have none,” she adds. “Only Americans can complain about what has happened to their data if the U.S. authorities grab it for some reason relating to terrorism or crime.”
Congress is considering legislation, the Judicial Redress Act, that would give EU citizens legal recourse in situations where European law enforcement agencies share information with U.S. law enforcement agencies and that information is misused. But, so far, no legislation has been introduced that would give EU citizens a similar course of action for data transferred between private parties.
While the EU and United States continue to work towards a new Safe Harbor agreement, there are alternatives that companies can pursue to comply with the EU Data Protection Directive. Isaza suggests beginning with an assessment of what the situation for each company is: mapping data and looking at how it flows across the organization to see if there’s any way around transferring it between the EU and the United States.
“Then, organizations need to do some soul searching to identify how critical this data is, how sensitive the data is, and how important it is to have the data transferred,” he explains. “Obviously, if you’re a company like Google or Facebook, you’re all about the transfer of the data. But if you’re a run-of-the-mill organization, there might be ways around it without having to throw yourself into that culture of activity regarding this data transfer.”
For instance, some companies could use third-party-cloud-based computing companies in Europe as their primary data controllers. This means that a U.S. company would use the EU company to host its data to prevent the U.S. government from issuing a subpoena to obtain information on EU citizens.
“Data controllers in Europe don’t have to respond to those subpoenas; whereas if the data was controlled here in the United States, they would have to respond to those subpoenas,” Isaza says.
Microsoft is already pursuing this course of action, planning to open data centers in Germany in mid-2016 in partnership with Deutsche Telekom AG.
The data centers will be under the control of T-Systems, a subsidiary of Deutsche Telekom that will act as a data trustee. Microsoft will not be able to access the data without customer or data trustee permission. If Microsoft is granted permission to access the data, it will only do so under the data trustee’s permission, the release said.
Ranganathan also says that moving data to a data center and private cloud that is operated by an EU certified vendor is an option for companies who don’t want to wait to see if a new Safe Harbor agreement will emerge. It also might be a more cost-effective option.
“There have been many studies that have proven that, in the long run, a private cloud may be much more cost-effective than moving everything to the public cloud,” she explains. “And you have control over it. You’re not subject to the Patriot Act. You have control over where it’s stored, who’s hosting it, and you can sleep well at night.”
While these workarounds exist, Isaza says he thinks the issue of data transfer between the EU and the United States needs to be tackled head on by the two entities.
“Because what’s happening is that the legislative process is making the private sector look like it’s untrustworthy,” he explains. “And it really is more of a political tug of war going on, rather than truly being a reflection on the private sector not being on top of it.”