EU watchdog rejects Safe Harbor replacement - where does this leave your business?

A new data transfer pact between the US and the European Commission has been rejected by a panel of European Union privacy watchdogs, leaving businesses and vendors in limbo.

The new transatlantic pact - dubbed Privacy Shield - was designed to replace the Safe Harbour agreement, which was invalidated last year, a move that caused concern for enterprises and the Silicon Valley giants that look after their private data.

However, The Article 29 Data Protection Working Party, has deemed that further work is required to the proposed Privacy Shield pact if the personal information of EU citizens is to be safeguarded.

Luca Schiavoni, senior analyst, regulation, at Ovum, believes that it is now back to the drawing board for the Privacy Shield agreement. 

"Since the EC announced the key points of its deal with the US authorities, concerns have emerged about certain aspects, such as the many exceptions under which the bulk use of personal data could still be possible for US authorities. There are also concerns that the powers and independence of the ombudsperson, which should ensure that EU citizens have the ability to seek redress in cases of privacy breaches, are not clearly defined and guaranteed," he notes. 

"The opinion of the Article 29 Working Party is not binding for the EC; however, it is unlikely that the EC will be able to ignore it. It represents the position of Data Protection Authorities of influential member states. Also, the EC should be worried about building a framework that is not too easily subjected to legal challenge. If the European Court of Justice finds that the flaws of Safe Harbor have not been addressed in the Privacy Shield agreement, it will not hesitate to strike the latter down too. Companies affected by this agreement should prepare to face more uncertainty, because the deal is likely to undergo further amendments before it is finalised."

Indeed, this leaves organisations both in the US and the EU in a potentially precarious position.

Safe Harbor allowed companies to provide EU-levels of data protection within the US and thus have permission to transfer customer data out of the EU jurisdiction and into the US. But when the Safe Harbor pact was invalidated, many US companies holding data on European citizens were suddenly in breach of the  European data protection directive.

Safe Harbor was also vital to UK businesses which held customer data in the US.

Companies affected by this agreement should prepare to face more uncertainty, because the deal is likely to undergo further amendments before it is finalised.

Ivan Mazour, founder of Ometria, recently explained to MyCustomer: “While only a few thousand companies actively and directly utilised the provisions, by self-certifying their data protection levels, in reality almost all businesses have been affected by this ruling.

“A UK business holding customer data immediately becomes classified as a data controller, and is bound by the EU data protection directive, and the 1998 UK Data Protection Act, overseen here by the ICO - the Information Commissioner’s Office. A data controller needs to abide by many rules, such as processing the data fairly and lawfully, and ensuring both technology and processes are put in place to avoid any kind of data breach or loss.”

SaaS headache

The increasing reliance on software-as-a-service providers, which are often based in the US, is the main headache.

Mazour continues: “Most of these US providers have the relevant data security processes in place, and until now have been relying on the Safe Harbor provisions to ensure that their clients, those UK and EU businesses, do not breach any regulations.

“Most of these technology companies are still US-based, have their entire technical infrastructure in the US, and therefore transfer all customer data into the jurisdiction as soon as they are used. Without the Safe Harbor ruling, UK-based companies using their services would find themselves in breach of regulations - and it would be those businesses themselves which would be at risk, not the technology providers.”

With Privacy Shield unlikely to be implemented in the face of concerns from the Working Party, US companies will continue to rely on the contingency plan they put in place after Safe Harbor was ruled obsolete. This means using European Union Model Clauses - standardised clauses between a service provider and a customer to ensure that any personal data being transferred to the US will be in compliance with the EU Data Protection Directive.

Larger companies, from Microsoft to Salesforce, updated their contracts to include these immediately after the Safe Harbor ruling. What this means in reality, however, remains untested, and Mazour believes it is only a matter of time before someone challenges these in the same way as they successfully challenged Safe Harbor. This leaves them in a precarious position until Privacy Shield can be refined. 

Mazour concludes: “So for a UK-based business, the only way to truly avoid exposing themselves to risk is to use a European technology provider, and validate that their entire infrastructure, whether they are using cloud data centres or their own servers, is based in the EU. By ensuring that personal data isn’t transferred out of the EU, UK businesses can be certain that they are not affected by the removal of the Safe Harbor provisions, and don’t have to spend time and money researching alternatives and ensuring they are still protected.”

Marc-Elian Bégin, CEO and co-founder of SixSq, one of the suppliers for the Cloud for Europe project, expressed similar sentiments when the Safe Harbor ruling was invalidated, suggesting businesses should choose their cloud products and services “very carefully”.

“Enterprises are worried that their data might be used or spied on will want to avoid US-based providers. It is one thing for the EU to rule that US-based companies cannot send user data to the US for processing, but this will take time to implement and enforce,” he said. 

“At the source of all this is the knowledge that the cloud being ’somewhere out there’ is not acceptable anymore. Users now need to understand exactly what data is where. And this will be a significant challenge for companies mixing and matching services,” Bégin says.

“Cloud technology now more than ever before needs to offer transparency in terms of where applications are deployed and running, what data they access and produce, where it leaves data and what data and what and how to erase data after processing.”

Companies will have to be more involved, Bégin says, and it’s also up to technology developers to make this process easier than it already is - as SixSq itself is finding itself doing.

“We are now working on major improvements to our service catalogues to make selecting a cloud much simpler, safer and clearer. For this, we are teaming up with European cloud providers, research partners and security specialists such as the Cloud Security Alliance.

"Providing application developers with better tools to deal with data (big and small) is another field of development that is keeping us busy.”