twitter facebook rss

Safe Harbor: Quo Vadis?

Posted by on October 26, 2015.

ECJ smallThe European Court of Justice ruling on October 6 has far-reaching implications. The court has not specifically ruled that Safe Harbor is illegal, only that it can no longer automatically be assumed to be legal.

In short, any US company relying on Safe Harbor can now be challenged in court. The reality, however, is that in the post-Snowden world it is self-evident that US companies are simply unable to abide by European laws over the storage of European personal data – their own national laws require them to hand over data to the US government in contravention of European laws.

Nobody knows what will happen next. Some lawyers have suggested that reliance on Safe Harbor should be switched to the use of European Model Clauses. Pinsent Masons wrote in Out-Law that companies currently relying on safe harbor “should urgently review the position, and consider other mechanisms that enable data transfers as an alternative, for example EU model contract clauses.”

But this won’t do either. The arguments that invalidate safe harbor can used equally to invalidate any form of words. It would be an attempt, in the words of one CISO member of the Wisegate community, ‘to force a square peg into a round hole’. Indeed, more than one German data protection regulator has already opined that model clauses do not meet the requirements of European law.

As of writing this it would appear that no US company can legally store any EU personal data in the US – and it could get worse very soon. If, as many expect, the US Court of Appeals rules in favor of the FBI against Microsoft and orders Microsoft to hand over the content of an EU customer’s emails from a server in Ireland, it would be difficult to see how any US company can store any EU data on any server anywhere in the world and still be compliant with European law.

But for many years US business has operated in the belief that Safe Harbor makes them compliant. Privacy activists have said for years that this cannot be true. It’s almost as if the United States has been in denial over the reality of European law. We wanted to see if this ‘denial’ has changed with the ECJ’s ruling. We spoke to a group of Wisegate’s CISOs, and gave them five options:

  • The EU must rewrite its laws to allow the export of EU data to the US
  • The US must rewrite its laws to make law enforcement/government access to EU data possible only via an acceptable court order
  • Business will start to store EU data on servers in the EU
  • The only current solution would be to encrypt EU data in a manner in which no third party can access the keys
  • It’s a tempest in a teacup; the politicians will find a solution to allow the status quo to continue

Forty-four percent believe that it is up to the EU to change its laws and come in to line with the US. This may be nothing more than pragmatic. All of the big internet companies used by Europe are American. It is inconceivable that that Europe will suddenly switch off its citizens’ access to Facebook, Google, Microsoft, Twitter, etcetera. It is therefore up to the EU to make this problem go away. Sixty-six percent, however, believe that the onus is on the US to make its own laws more internationally acceptable.

But perhaps the biggest surprise comes with the next two options. Sixty-six percent believe that US companies are likely to store their European data on servers within Europe. In reality, under the current laws of the US and the EU, this will make no difference. US companies cannot guarantee to keep European data out of US government hands in a manner that is currently acceptable to EU law; and the companies that do this therefore remain non-compliant with EU law.

Only 11% believe that the solution is encryption that makes the keys non-recoverable by government. The surprise is that this really is the only current solution – and that is partly why governments on both sides of the Atlantic are seeking backdoors in apps that use encryption in order to make it impossible.

Finally, 22% believe that it’s a ‘tempest in a teacup’ (there was an earlier one at Boston, and look what happened over that!); and that the politicians will solve things. I suspect that everybody hopes that this will be true, but only 22% seem to be willing to suggest it will happen.

We talked to one of the CISOs. He does not believe that encryption is a long term solution since it does not prevent governments trying to access data – it will simply make them try harder with different methods and possibly more covertly. Nor does he believe that Europe will be able to pressure the US to change its own laws – and even if it did, “there is nothing that provides comfort that we will not view said data.” He sees it as a lack of trust, and “laws don’t change that.” The solution will have to be political and a compromise. “However, it will still be presumed that the US is ‘watching’. That won’t go away soon since trust was violated.”

One thought on “Safe Harbor: Quo Vadis?

  1. M Freeman on said:

    There is another option. Store the ID token on the US server and the use the token to look-up personal details on a European server owned by a non-US company.

    Then the US company can comply with the US government request to show the data they hold … the token and only the token … whilst complying with UK data protection.

    Alternatively, as use is optional, companies like Facebook could ask their customers to agree to share their data with the US government up front?

    (Disclaimer: opinions are my own and not of any company I may represent)

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: