Safe Harbor is Dead – Now What?
Tuesday October 6, 2015 the European Court of Justice struck down Safe Harbor, an international agreement that allowed companies to move digital information between the the United States and Europe. According to a New York Times article, “The decision left the international operations of companies like Google and Facebook in a sort of legal limbo even as their services continued working as usual.”
Source: Tombstone clipart from digitalpanda.com
The European Court of Justice struck down the Safe Harbor agreement, ruling it to be flawed because it allowed personal information to be transferred to the U.S., where American government authorities could gain routine access to Europeans’ online information. The court has left data protection regulators in each of the European Union’s 28 countries in charge of policing how companies collect and use online information of their countries’ citizens. European countries have widely varying stances toward privacy, although in theory, a single pan-European General Data Protection Regulation (GDPR) will take precedence by the end of the decade.
Five years awaiting GDPR harmonization is a long time, and in the interim confusion could reign. How will regulators in 28 countries interpret this issue? Some may take a relatively paternalistic approach, others a laissez faire approach. Operating any kind of international ecommerce service, cloud service, or even a multinational enterprise network will become more complicated for enterprises that had been relying on Safe Harbor for legal cover.
Impact on Cloud Service Providers (CSPs)
Per the New York Times article:
“The court said on Tuesday that national data protection regulators could limit data-sharing activities if they believed their citizens’ data could be used in ways not guaranteed under European law…Big companies like Google and Facebook might then have to store the information solely within their European operations. Those two companies already operate data centers in Europe. But smaller businesses on both sides of the Atlantic might have more trouble complying with the court order.
In anticipation of the ruling, many companies tasked teams of lawyers with figuring out how to continue their operations largely unimpeded. For large tech companies, other data transfer methods, including internal company agreements and clauses inserted into terms and conditions of service, could allow them to continue moving data to the United States.”
Impact on Enterprises
Big high-profile services like Facebook expect to be targeted by regulators and have already invested in legalistic and operational contingency plans. Enterprises such as retailers and manufacturers have probably not invested in such contingencies and may be caught off guard. The coming weeks and months will find many companies searching for guidance on what to expect and what to do from the legal and operational perspective. It isn’t clear whether the U..S. government will be able to negotiate anything satisfactory to the majority of the 28 European countries, or whether those countries will offer consistent guidance to companies trying to do business and serve customers across borders.
Recommendations on Architecture
Security Architects Partners can’t provide any legal advice, only architectural guidance. We continue to recommend that data controllers (CSPs or enterprises) hosting international customer or employee data for themselves or other business customers maximize flexibility and adaptability in the following areas:
- Establish or use safe haven data centers in multiple regions
- Tag personally identifying information (PII) and other personal data to regions and countries to enable context-sensitive decisions on where to store or serve it
- Implement identity abstraction layers (such as virtual directory services) to allow unified views of data in multiple locations
- Utilize transforms – such as encryption or tokenization – to reduce risk of accidentally mis-filing data
- Separate key management repositories and services from the encrypted data to decrease location-related sensitivities
- Develop adaptive access control solutions to control the flow of personal data across borders or locations
- Establish, enforce and audit acceptable use policies for people and applications handling PII (e.g. access but do not store)
It seems to me that I wrote a post with architectural recommendations very like these over 5 years ago. Perhaps Safe Harbor has been a crutch that has spared enterprises from having to develop sophisticated, location-sensitive identity data handling solutions. Perhaps now there will be funding and impetus to create and implement comprehensive architecture patterns based on these kinds of recommendations.
And for every CSP that is negatively impacted by the new reality, perhaps there will be another that finds opportunities providing Privacy By Design solutions. New solutions must to be calibrated for a world in which (we hope) commerce and communications across borders remains plentiful even when trust is in short supply.
- Security Architects Partners Extended Identity and Privacy Consulting Services
- European Union Almost Unanimously Passes New Data Protection Legislation
- Privacy By Design Moves Mainstream