The Safe Harbor is No Longer Safe
Context is incredibly important in all things. As I have been preparing for a conversation about information security and privacy at a major international event, I decided that by means of introduction, I should come up with a (totally unscientific) list of people who have changed the contemporary world. Other than leaving off mass murderers and war criminals, I was open to just about anyone, and that’s what I got. Although the list is long, some obvious choices were, in no particular order, Bill, Steve, Andy, Gordon and Sergey and Larry (no last names needed). Among the less traditional choices were David Bowie, Billie Jean King, Magic Johnson, Robert Oppenheimer, the Pope and Elvis. If nothing else, it’s been a very interesting exercise.
The point of gathering this information has been to put in context the person who has had a dramatic effect on the world with respect to information security and privacy. Like it or not, Edward Snowden has changed the world. Whether you agree with his actions or not, he has—and will continue to—have a significant impact on all of us, both personally and professionally, particularly where technology continues to enable entities to reach more deeply into our personal lives than has ever before been considered, let alone possible.
In the first part of this series, I presented information that was focused more intensely on the domestic side of this issue. That is, how American entities need to consider the data that they have in order to fully manage it. In this part, we’ll look at least a bit more globally, with particular attention to the relationship between the U.S. and EU with respect to information security. The decision in Schrems v. Data Protection Commissioner (Case C-362/14) has already had an impact for those entities that both intentionally and unintentionally transfer data across the Atlantic to the U.S. as a result of using the cloud for storage and/or processing.
Before digging into what this decision means technically, it’s important to consider a critical distinction between the U.S. and European Union with respect to privacy. In the U.S., individuals and businesses consider privacy a matter of commerce. It’s not that Americans don’t care about the security of their personal data, but they rely on the institutions with which they share this information and themselves to keep what’s private private. In the E.U., however, privacy is considered a fundamental right. In fact, in quoting from the statement made by the Court of Justice of the European Union, “…legislation permitting public authorities to have access on a generalised (sic) basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” It is essential to understand this vastly different standard when considering the post-Schrems environment.
One other thing. One of the challenges with cloud computing generally is the question of where the data actually is. Following this decision, the location of the cloud matters more than ever. Once data leaves the European Union’s borders for the U.S., the Schrems decision, and the rules that will follow, become crucially important. As such, it’s important, particularly for EU entities to know where the cloud they are using is. It matters!
The Case
Austrian Maximillian Schrems brought suit in an Irish court following the disclosures made by Edward Snowden. Specifically, Schrems claimed that the U.S. did not offer sufficient protection from U.S. surveillance for data that was transferred from an EU location (in this case, Ireland) to the U.S. Specifically, Mr. Schrems claimed that the information that he provided to Facebook was stored at Facebook’s Irish subsidiary, and some--or all--of his data was then transferred to other Facebook servers in the U.S. for processing. No one disputes these facts.
In 2000, the EU adopted its “Safe Harbor” decision which enabled U.S. companies to self-certify that their own internal company practices ensured a sufficient level of protection for data coming from the EU to the US, under the terms of the EU Data Protection Directive 95/46/ec (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14012). This EU’s safe harbor was effective until this past October, when the EU Advocate-General determined that the protections provided by it were insufficient. Further, in its opinion, the court determined in a potential conflict of laws case that while an EU court made this decision, individual court members (i.e. EU member countries) have power, independent of the EU, to not only investigate claims about the level of data protection between respective EU countries and the U.S., but to suspend data transfers if, on an individual and not collective basis, each determines that the U.S. doesn’t provide a sufficient level of protection of private information.
Key take-aways are:
Loss of safe harbor protection could be a deal breaker for entities that process and store data coming from the European Union. These changes will—and have had-- a significant impact on the cloud-based businesses where processing is handled stateside. If you have questions or concerns, now is the time to learn the new rules. They’re continuing to evolve, but current knowledge of obligations will certainly make the difference between maintaining an EU-client relationship and losing it.