A ruling by the European Court of Justice (ECJ) on 6th October eroded the foundation of the EU-US ‘Safe Harbour’ agreement. The decision is causing consternation in the legal departments of US companies that store European citizens’ data, and potentially opens the door to a rash of privacy lawsuits across EU member states.
The landmark ruling represents a significant challenge for more than 4,000 European and US companies whose business depends on enabling seamless trans-border data transfers.
It’s also increases the risk potential for US companies that, until now, processed EU citizen data in the US and believed the data transfer arrangements they had in place met the standards required by EU law.
For the past 15 years the Safe Harbour data-transfer agreement has governed EU data flows across the Atlantic. Under the arrangement, US companies could self-certify the provision of ‘adequate protection’ for European users’ data in line with requirements for EU data protection – and fundamental human rights like privacy.
> See also: The demise of Safe Harbour and its lingering dilemma
However, in the wake of Edward Snowden’s revelations about global and indiscriminate surveillance by the US National Security Agency, the ECJ’s ruling in the Max Schrems lawsuit against Facebook has undermined the self-certified protections promised by Safe Harbour.
As a consequence, every organisation previously covered by Safe Harbour is now potentially out of compliance with European data protection as it stands today. And that’s sent US companies into a scramble about how to manage, store, transfer and use data in Europe.
Large companies, like Google and Facebook, may well have the resources in place to restructure quickly, implementing procedural changes around user data flows and building-out additional European data centres to process regional data – but what’s the answer for small and medium-sized enterprises?
Furthermore, where does the ECJ ruling leave the customers of Internet and cloud services providers? Data packets don’t know about jurisdictions, and are often transferred willy-nilly to create resilience and speed up access.
The debate has put the spotlight on privacy and consent for both tech and non-tech businesses. This includes European companies reflecting on a more genuine gathering of consent in preparation for the forthcoming EU General Data Protection Regulation (GDPR), due to come into effect in December 2017.
The new regulation will standardise laws governing data protection across the region and its scope extends to any foreign company that processes the data of EU residents.
Why are companies operating only in the European region sitting up and paying attention to the Safe Harbour situation? Because while the ECJ ruling has significant impact only on EU-US data transfer mechanisms, it’s likely that other legal tools beyond Safe Harbour will also come in for greater scrutiny as the EU GDPR unwinds – all of which creates uncertainty that today’s data transfer arrangements will meet EU standards.
Indeed, the European Telecoms and Network Operators (ENTO) organisation has long pointed out the weaknesses of the Safe Harbour framework. According to ENTO, today’s digital economy needs legal certainty in this field, and it has called for future arrangements to guarantee a high level of data protection that address the challenges – and opportunities – of the digital era.
One thing is certain. We’re set to see a new wave of compliance-oriented responses in the form of more sophisticated data segmentation/residency/sovereignty, data tokenisation and breach response solutions.
But businesses will have to take up a new challenge in the GDPR era – and tactical solutions will be insufficient to meet that challenge. Consider this candidate GDPR legislation wording: 'In order to ensure free consent … consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse to withdraw consent without detriment… The data subject shall have the right to withdraw his or her consent at any time.'
The most strategic long-term approach? Put in place mechanisms for user-consented transfer of data. Luckily, the technology now exists to make this possible: this is where User-Managed Access (UMA) can play a pivotal role.
UMA is a next-generation privacy standard that builds on today’s OAuth web authorisation protocol and gives users convenient, centralised control over how their data is shared, even with multiple data sources.
> See also: No more Safe Harbour: five steps to help IT departments plan fpr privacy compliance
It does this by allowing users to choose ‘scopes’ of sharing based on specific rules – so they can tailor what information they share about themselves, with whom, and for how long. For example, a householder with UMA-enabled smart home devices could delegate video doorbell access to her house sitter for purposes of viewing who’s at the door and letting people in, but not allow the sitter to disable the doorbell camera.
For businesses looking to embrace digital transformation, UMA represents a hyper-efficient solution to the privacy and consent conundrum. By successfully combining both identity management and effective privacy controls, UMA delivers the ‘privacy-by-design’ capabilities today’s corporate and government-based organisations need to respond to data protection obligations.
As the debate continues to rage about what constitutes ‘informed consent’ and whether this can be applied to high dimensional data, it’s worth remembering that privacy is NOT secrecy – rather, it’s all about context, control, choice and respect. And that’s exactly what UMA brings to the table.
As organisations look to respond to the implications of the Safe Harbour ruling, UMA represents a sustainable and agile approach to post consent management. Providing, as it does, a unified control point for people to authorise who and what can get access to their online personal data, content and services.
Sourced from Eve Maler, VP innovation and emerging technology, ForgeRock
