The European Court of Justice’s ruled that the 15-year-old safe harbor agreement with the USA. Does this mean that Facebook is no longer authorized to transfer EU member state citizens’ data to the USA?
The European Court of Justice’s October 6, 2015 ruling on data protection may affect the way companies based in the United States carry out their operations within Europe. According to the Ruling by the EUCJ, the “Safe Harbor” data protection agreement established in the year 2000 has been invalidated. This agreement allowed for transfer of EU citizens’ data to America, but with the invalidation, what does it mean for companies like Google, Facebook and Microsoft?
The case had been running for two years prior to its introduction to the European Union’s highest Court, brought by one Mr. Max Schrems, an Austrian privacy activist. According to the EUCJ, the trans-Atlantic data protection agreement signed European Commission (EC) in 2000 was invalidated since it does not provide for adequate protection of consumers’ privacy, particularly following the recent Snowden revelations.
But before delving into the details of the ruling and its impact, let’s start at the beginning, shall we?
Where did the “safe harbor” agreement come from?
According to the EU’s laws on privacy, citizens’ data movement outside of the EU is forbidden, except when that data is being transferred to locations that are considered to have “adequate” privacy protection measures – according to what is in place within the EU.
The safe harbor agreement was made between the US government and the EC, in which the former committed to protect data belonging to EU citizens should they be transferred to the USA by America-based companies.
Therefore, according to the agreement, companies like Facebook and Google were allowed to transfer and store data from EU citizens to US-based data centers after self-certifying that they would adequately protect it.
The safe harbor agreement, as explained by experts, has one major advantage: it operated as a sort-of “one-stop shop” providing for exportation of EU citizens’ personal data to the United States without having to seek consent and/or make mutually-beneficial agreements each time data transfer was needed.
How does the EUCJ Ruling affect Cloud Data Privacy?
The safe harbor invalidation will certainly affect many US-originated multinational companies that require global data in order to act. By scrapping off the agreement, these organizations’ free flow of data is curtailed. This is the data which the companies rely on for mission-critical strategy and decision-making.
In the immediate and short term, the ruling will affect all companies that have branches within the EU, and has the potential to spread to other parts of the world. Other countries may elect to follow the example set by the EU, or act in retaliation. As such, multi-national companies should strategize with the mind that this may become a much bigger trend over the longer term.
With the increasing data privacy requirement restrictions, businesses that are unable to quickly adapt to the changing regulations may suffer dire consequences. In particular, global cloud service providers (CSP) based in the US are in a tighter spot, since the very ropes of their business depends on free data transport between Europe and the USA.
Without the agreement that gives them authority to store data for their Europe-based clients as well as mobile app developers, investment and financial performance of these companies is likely to decline. In order to survive, these US-Based CSPs must look into the option of acquiring property within the EU to construct data centers there. However, there’s no question that their ability to cater to clients in different regions will be affected.
With the global adoption of cloud data storage, it was bound to happen that organizations’ regulated data and any sensitive data would be given over to third-parties such as SaaS application system providers. As such, many IT security experts cannot fully account for the storage location of organizations’ sensitive data.
Multinationals in particular, face unique challenges regarding storage of data, data privacy and residency, which in a way provides additional benefits to players within the InfoSec community, particularly during the transition periods following the impact of rulings such as this one.
These organizations will need practical advice to enable them implement frameworks and measures to comply with data privacy regulations even as they continue running their businesses – this is something that the Safe Harbor agreement lacked.
Guidelines for CSPS in light of the new law
Below are a few tips to guide cloud service providers following the Safe Harbor ruling and the changes it promises:
- Find out what data is moving from within your network and where it’s going – this includes any potential sanctioned clouds and shadow clouds. In addition, find out where all related data centers are located and which ones need to be made compliant.
- Proactively tokenize data and make sure it complies with current EU data privacy requirements. Tokenization is a useful solution to address data privacy concerns and regulatory compliance given that tokens do not have any mathematical relationship with the original, clear-text and usually sensitive data hence no possibility of trap doors/back doors.
- Find out where your can use local EU CSP data centers, bearing in mind that local CSP reserves the right to shift data between their data centers. As such, your primary and backup data stores may end up being in different countries; regions even.
- Brace yourselves for changes in the data privacy regulatory landscape by future-proofing your cloud and IT infrastructure. For instance, look into parsing, encryption, anonymizing of data so that they can adapt to continuously changing regulations more readily. As an organization, ensure that you are wholly responsible for implementation of mechanisms that provide for anonymized data sharing, allowing data users to glean the necessary insights for business decision making without violating any personal privacy requirements
- In the process of data encryption, provide for sole ownership/custody of the encryption key, which is compulsory for data protection. In addition, confirm that your method of encryption provides for data protection through the entire cloud data lifecycle i.e. in use, in transit and at rest.
Is data transfer to the US still possible?
In light of the ruling invalidating the 2000 agreement, American companies operating within the EU – Facebook, Microsoft, Apple and Google included – are no longer able to rely on self-certification. Instead, they will need to develop “model contract clauses” for every case. It is these new agreements that would authorize them (or not) to transfer data to the US or anywhere outside Europe.
According to the European Consumer Organization, if the above-mentioned companies would wish to send EU citizens’ personal data across the Atlantic, they simply have to demonstrate that adequate levels of protection have been implemented – according to the EU regulations that is.
For the larger US-based technology, companies with operational activity within the EU, the level of impact is unlikely to extend beyond increased paperwork. It is likely that many of these companies will have already drawn up the required model contract clauses. However, those who don’t have theirs ready may be forced to cease any cross-Atlantic data transfer endeavors until that is taken care of.
In addition, a large number of US-based multinationals, including Apple, Google and Facebook have already set up – or are currently setting up – data centers based in the EU where EU citizens’ data will be stored. Google for example has four Europe-based data centers, one of them in Ireland.
Impact on Facebook
Facebook was actually the “cause” behind Max Schrems’ case and is therefore at the forefront of everyone’s mind. According to the ruling and statement by the EUCJ, the Irish Data Protection Authority (DPA) may have to investigate Mr. Schrems’ claims regarding the possibility of his private data being accessed by American government intelligence agencies, as well as the company’s data protection policies and practices.
Following the investigations, it will now be upon the Irish DPA to give a verdict on whether transfer of EU Facebook subscribers’ data across the Atlantic will have to be suspended by reason of inadequate levels of protection for individuals’ private data.
Does it make any difference to individual users?
In the short term, there is unlikely to be any palpable impact on users. In theory, the dissolution of the safe harbor agreement; henceforth, provides for stronger protection of users’ personal data and information. In addition, the dissolution may help prevent US government access to the private data of citizens in the EU.
It is also unlikely that services and sites like Facebook will suffer any meaningful disruption. However, the ruling does open the door to further user-originated complaints, probes and/or lawsuits as well as action from data regulators.
How does the ruling affect cloud services?
The bigger and more established cloud service providers are unlikely to be affected by the ruling. However, the same cannot be said of the smaller companies that offer cross-Atlantic cloud services. Many organizations in Europe utilize cloud storage and processing services based in the US, being unable to do it themselves. Call it outsourcing in the 21st Century.
Similarly, these companies will be required to abide by the same regulations governing MNCs like Google and Facebook i.e. they will have to draw up model contract clauses as well as making sure that any service they are using e.g. Amazon Web Services are compliant with data protection regulations.
However, even though the agreements will likely be standardized and more-or-less fixed, the financial and administrative burden of seeking and gaining approval prior to data transfers will still be felt by these organizations.
Will there be a new Safe harbor agreement?
The EUCJ ruling did not completely some as a surprise; it was to be expected given the endorsement of the opinion of the European Union’s Advocate General regarding the safe harbor agreement. Nonetheless, nobody expected it to come this soon.
A new safe harbor agreement is being currently negotiated between the US government and the EU, a process that has been going on for the past two years following the 2013 Snowden revelations that raised a major stir.
The EU has since then made attempts to control/curtail the US’s access to data from EU citizens transferred to and stored within the US. In addition, attempts have been made to provide for the ability of EU citizens to take legal action on US-based companies within the US judicial system if these companies are found to misuse their data.
Throughout the negotiations, the EU’s weapon has been the threat of imposing a veto in any future trade agreements, but the two parties have yet to come to a common ground. This ruling by the EUCJ will most likely add fuel to the progression of the agreement, now that a new agreement is urgently needed to facilitate smooth continuation of International trade and services. However, some analysts predict that the ruling will more likely hurt than help the negotiation process of a new safe harbor agreement.
Experts say that simply tweaking and fine-tuning the controversial aspects of the current safe harbor agreement could result in a workable solution much faster. This is the focus of US government officials on the negotiating table. However, with the ruling, it’s not easy to predict how this idea might proceed.
What if a new agreement cannot be reached?
If the US government representatives make any attempt to disrupt the negotiation process for a new safe harbor agreement, the heaviest impact will be felt by US-based companies that were looking to expand business to locations in the EU zone. While European companies that have outsourced their cloud services to the US may face service restriction, a move to create and leverage Europe-based data centers will easily solve the latter problem.
Meanwhile, data encryption may be the key to ensuring continued data transfer until a new agreement is negotiated and enforced. Tokenization and encryption prior to sending data to the cloud will get rid of many of the privacy concerns, provided that ownership of the encryption keys is also controlled.