Safe Harbor is no more. Well Safe Harbor still exists but following a ruling in the European Court of Justice it has now been ruled as an invalid mechanism to protect the data and privacy of European Union citizens personal data when it is moved to the USA from the EU. In essence this is a damning statement that says European Citizen personal data was never safe from certain parties in the USA.

TThis is down to the fact that the US government is perceived as having used that transmitted data to spy on citizens (as alleged by Edward Snowdon). There is no suggestion of bad behaviour by US organizations themselves who generally offer much better protection than many companies could develop and maintain themselves.

Exactly what this means is still being worked on. I suspect it will mean a lot of scrambling and head scratching for the many organizations (estimated at about 4500) who use Safe Harbor. Those organizations use it to enable them to run a centralized internal IT platform which supports their entire global operations, to offer centralized platforms for consumers hosted and run totally out of the US and for companies who move data around as part of their general business approach.

This week I had a number of non-IT friends ask me what this was all about. Mainly these questions are coming as the ruling is making news headlines around Europe. This post is a summary of what I tried to explain to them. Safe Harbor is something most people never knew existed in the first place and it is amazing it has taken over our televisions.

The Safe Harbor situation background

Organizations operating within the European Union have to conform to some of the strictest privacy laws in the world since the Data Protection Act came into existence. To ensure those standards of privacy are upheld, in places where the laws might not be as stringent as the EU, European organizations are generally not allowed to send personal data outside of the European Economic Area unless the receiving country (via laws) or organization  (via processes and controls) can guarantee the same, if not better, levels of data protection and privacy. As defined on the US Export.gov website there are some differences between the EU and the US.

“While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. ” – Source

Because of this, in July 2000, the European  Union introduced something known as Safe Harbor working together with the USA.  Safe Harbor set out 7 principles which had to be adhered (listed below). US based companies adhering to these seven principles were allowed to opt into a program which then allowed them to  transfer personal data of European Citizens to the USA and store/process it there.

That is where we were until October 6th 2015, the day this blog is being published, when that previous agreement was ruled as invalid mostly based on the fact private data is accessible to government organizations such as the NSA and hence is not as secure and private as intended. I am not going to focus here on the court case involving a European Citizen and his Facebook data as it is not really relevant given the ruling is now made.

The Seven Principles

Below are the seven principles. You can expect these to be made stronger, and perhaps more wide ranging, if a new version of Safe Harbor is to emerge.

• Notice – Individuals must be informed that their data is being collected and about how it will be used.
• Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
• Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
• Security – Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
• Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
• Enforcement – There must be effective means of enforcing these rules.

Data being shared

The type of data under discussion is really endless. Email servers hosted in the US for European Companies would be affected, HR systems hosted in the US for European Companies would be affected and Social Media platforms running in the US for European Citizens would be affected. In fact there are so many places data is shared either by a European Operating Entity, or directly by the consumer, that it is hard to list them and all the potential companies impacted.

In a world where organizations have been seeking to centralize their IT infrastructure and operational systems, to better manage it and keep costs down,  closely tied to growing Software as a Service and Cloud based business models there is no doubt that this is a major issue. The question really is: “Is this is a shot across the bows of our US friends or something more dramatic unfolding in front of us?”

Short term solutions and trouble ahead

Short term there are other ways to go about being able to get personal data from the EU to the US beyond Safe Harbor. The issue is that all of those suffer from the same flaw as Safe Harbor in that once it lands in the US government organizations, such as the NSA, are perceived to be able to get full access even if that is not true. While the alternatives might be useful to buy time they are also going to need to be supplanted at some stage by something new to not suffer the sae fate. That “new thing”  could come out of the new European Data Protection laws being worked on now.

So you might say another solution is for US companies to setup data centers in the EU.  From there they could store European Citizen personal data there as well as to provide their services from there. Well…. that has a couple of challenges:

1. Replicating data centers/infrastructure and systems is not cheap and it takes time. Someone is going to have to pay for that if US companies would have to adapt. That would likely be the European Citizen at some stage as they consume or buy services/software through increased prices or more advertising. In the worst case certain services might be withdrawn from Europe. That is very unlikely though IMHO.
2. There is an ongoing case involving Microsoft and the Department of Justice. They actually have Hotmail email data stored in Ireland on servers there. The US Department of Justice is seeking to gain access to that data given that Microsoft is a company headquartered in the USA and thus is under their Jurisdiction. The interesting thing here is there is no request to the Irish Authorities as far as I am aware. If Microsoft is forced to compel then this means not only is Safe Harbor not  workable but essentially any US headquartered company will run into European Privacy hurdles imho. That is huge. They are effectively executing a search warrant in Ireland that was issued in the USA!

In Conclusion

Fundamentally the decision on invalidating Safe Harbor is a massive decision. The immediate impact for many is likely very low. The implications really depend on how organizations react and that is not going to happen overnight. In the short term companies are likely to examine the ruling and work with regulators to find a way forwards while a more permanent solution is established.

In the medium term the new European Data Protection laws will likely lead to “Safe Harbor” 2.0 which I suspect might include a lot more power for the European citizen to state what they are happy to have done with their personal data and it might have some surveillance clauses focused on national governments.

It will also be interesting to see what impact the Microsoft and DoJ case will have. It could be that it all gets cleared up by the new Data Protection Law as well (or get thrown out of court before then) but it could equally cause a whole host of disruption and provide no way for any US company to operate in Europe while ensuring the privacy of European Citizen personal data.

I hope this helped. Standby for a possible seismic shift in the European IT landscape.

Please feel free to add your comments to this and if you think I have over/under-stated anything please let me know.