All at sea: what the reevaluation of Safe Harbour could mean for your cloud

There’s always been a rift between the way US and EU law treats the protection of personal data. While the EU’s Data Protection Directive has regulated the processing of personal data within its borders since the early days of the internet era, there’s no equivalent in the US, which, for varied reasons, instead takes a less proactive, ‘ad hoc’ approach to the issues of data protection as and when they arise.

Thus we have the ‘Safe Harbour’ agreement. Since 2000, US companies have been allowed to transfer the personal data of EU citizens to the US as long as they declare that they meet the strict standards of the EU’s Directive.

Twelve years on, ministers started to take a fresh look at the Directive in light of the unstoppable growth of connectivity around the world in the years since it was created, and the global nature of technologies such as cloud and social networking. As virtual borders have dissolved, so have the certainties around what constitutes private information and who should be responsible for it and how, and the EU data protection regime has been the subject of rigorous debate.

> See also: EU Regulation: time to act on corporate data protection

But in June of last year, an unassuming 29 year old IT contractor came out of the woodwork and suddenly the debate was forced up a notch. Now, as the world is looking to the US and asking serious questions about some of its biggest tech companies and the trust we put in them on a daily basis, that rift between European and American attitudes to data protiection has never seemed wider.

Privacy comes of age

In January this year, EU justice commissioner Viviane Reding made a speech outlining how the ‘inconsistent’ patchwork of national laws that forms the Directive would soon be replaced by a ‘uniform and strong’ Europe-wide Data Protection Regulation. Though most of the media attention has been around search engines and the ‘right to be forgotten’, and the laws regarding informing authorities of a data breach, the reforms will include, among other measures, an overhaul of the Safe Harbour rules.

Since June 2013, ‘the Commission has taken a firm stance from the first surveillance revelations, saying loud and clear that mass surveillance is unacceptable,’ Reding said in her speech. ‘We set out the steps that should be taken to rebuild trust in EU-U.S. data flows. We kicked the tyres and saw that repairs are needed. For the Safe Harbour to be fully roadworthy, the US will have to service it.’

In the coming months, the EU commission’s job will be to see how well those repairs to Safe Harbour have been carried out, and if found lacking, ministers are likely to strengthen it or scrap it altogether in time for the new Regulation to be put in place in 2017.

The European Parliament together with advisory bodies such as the Civil Liberties Committee recommend a complete termination of Safe Harbour and a renegotiation of the rules from scratch.

Meanwhile the European Commission’s own recommendations include that US companies participating in the Safe Harbour agreement practise better transparency, and that it’s more actively enforced by the US Department of Commerce. Safe Harbour companies could be subject to regular external audits, alternative dispute resolution procedures could be put in place, and US authorities must make clearer the circumstances under which they will gain access to EU personal data processed by a Safe Harbour self-certified company.

One thing is for sure- the days of Safe Harbour companies ‘self regulating’ are over.

A new game plan

As Christian Toon, head of information risk for Europe at information management firm IronMountain explains, many consumers are ‘likely to welcome such change as a step in the right direction after the wake up call of NSA and PRISM.’

But as the changes will, at the very least, mean an end to the free pass for data exchange for US authorities and companies, ‘many businesses will be challenged by the new obligations that are likely to come their way.’

It could be of particular concern for companies storing increasing amounts of data in public clouds with US vendors, where they may or not know where in the world their data is sitting. But in the midst of all this uncertainty, several distinct studies have highlighted a lack of awareness and understanding among UK businesses about what these changes to the law will really mean for them. Technology market research firm Vanson Bourne says 56% of firms that share customer data with third parties don’t even understand current data protection law, let alone the changes, whereas half of British IT decision makers are completely unaware of the forthcoming leglislation change at all, according to a study by security firm Trend Micro.

‘The storage of personal data in the cloud has proven particularly challenging for businesses under both current and future data protection regulatory requirements,’ says Dr Elizabeth Maxwell, EMEA mainframe technical director at IT solutions firm Compuware. ‘This is in large part because the essence of data protection is to provide individuals with transparency over who holds data about them and what is being done with it. As such, the very nature of ‘cloud’ being difficult to pin down to a physical location is contradictory to the level of certainty that data protection strives to achieve.’

All this throws up many questions. Should businesses and their customers who deal with personal data be concerned about the practical limitations of their use of public cloud services? And what will it take to remain compliant when their data may be held in US data centres?

‘As data becomes more international and the handling terms of it change, so too will the market have to change to accommodate this if the players want the business,’ argues Maxwell. ‘Everyone will have to come up to par if they want a place in the game.’

A responsible future

Once approved, the 28 member states of the EU will have two years to become fully compliant with the new Data Protection Regulation.

‘For many businesses this will seem a long way off,’ says Iron Mountain’s Toon. ‘It can be tempting to wait to make any changes until they become a legal requirement- but this would be a mistake.’

Given the huge pressure in the European Commission to overhaul Safe Harbour, it makes absolute sense for vendors to start preparing now. This is already becoming apparent with many of the larger public cloud providers such as Amazon and Microsoft, who have decided their safest bet is to invest in co-locations and data centres, specifically with their European customers in mind- something which will become even more of a competitive advantage as time goes on.

> See also: The enterprise guide to preparing for the EU’s new data-protection legislation

‘If the market’s big enough and the vendor feels they can build a bigger profitable business in Europe, they should go for it,’ says Rajesh Ram, chief product officer for enterprise file sharing company Egnyte. ‘Some vendors will choose to serve the European market, some will not, but we are letting the choice be in the hands of the vendor as opposed to forcing out US vendors from a regulation perspective.’

EU-based cloud providers are not exempt from the crackdown either. Part of the proposed new EU Regulation is a change to who would be liable to protect personal data. Under current law, there are three parties relevant in the world of data protection, each with different rights and obligations – the data subject (who the data is about, and who has rights to the privacy of that data), the data controller (the organisation that controls the data and who has all the obligations), and the processor acting on behalf of the controller (in this context, the cloud provider).

Presently if a controller wants to get the requirements of the law to apply to their cloud vendor, they have to do all the work to impose contractual obligations on them. But it’s envisioned that the same legal responsibilities for protection of data will apply to both controller and the processor working with the data on their behalf. This broadening of responsibility will apply to data controllers outside of the EU, including US companies, where the data is related to services or goods offered to data subjects in the EU.

Essentially this means even more work and process for cloud companies, and many people are very optimistic about how these reforms could shape the public cloud market for enterprise customers.

‘I think it’s going to be a good thing,’ argues Beverley Flynn, a data protection consultant for law firm Stevens and Bolton. ‘it will commoditise the industry more. That’s a good thing because the regulator will be able to visit both controllers and processors. It will put much more of an onus on cloud providers to ensure they’ve undertaken their own risk assessment and put in place their own policies.’

But though these reforms put more responsibility into the hands of the controller, Flynn is keen to stress that this is ‘no excuse’ for cloud customers handling personal information to be ‘lax’ about their data protection.

‘Controllers must still ensure they choose the right processors and put in place the right risk assessment,’ she says. ‘The new legislation will have a risk-assessment based regime, so it means that instead of registering with the Information Commissioner’s officers and paying their ten pounds or whatever it is, it will be a bit like a health and safety regime based around policies and procedures.’

> See also: 72% of businesses don’t trust cloud vendors to obey data protection laws and regulations

Flynn argues that public cloud providers will be forced to engage in proactive dialogues with their customers, with much more explicit terms and conditions, making it easier for their customers to negotiate terms with their providers. For their enterprise customers, this dialogue should include finding out exactly where data is stored, who has access to it and whether it will be moved to ensure data integrity, as well as asking questions as to the physical and IT infrastructure of the data centre, the training and vetting processes of staff, and any business continuity planning in place.

A lot of the changes around data protection are still up in the air, and as Egnyte’s Rajesh Ram predicts, ‘we’re going through a period of chaos, which is going to get worse before it gets better.’

In five to ten years, there’s no doubt we will be living in a far more connected and unified world.

‘But we will have to sort through a lot of these issues first. It’s early days, and there will be a few roadbumps before we get there, we just need the technological will and the political will to confront these issues.’

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...