In-brief: An EU Court’s ruling invalidating a 15 year old safe harbor agreement between the US and EU leaves companies with a myriad of choices about how to respond – none of them good.
Call it “Splinternet:” a splintering of the once borderless landscape of the Internet, across which information has flowed freely for decades, as individual countries within the European Union (EU) seek to assert their own rules and priorities over data related to their citizens.
That’s one likely outcome of a European Union court’s decision this week to strike down a 15 year-old safe harbor agreement between the United States and the EU, experts agree. The decision – while expected – will impose significant hardships for companies in the EU and the US, with technology and cloud-based services providers particularly hard hit.
“This is a seismic event. It’s very significant,” said Omer Tene, the Vice President of Research at The International Association of Privacy Professionals. “This presents real challenges for companies operating across the Atlantic.”
In a ruling Tuesday, The Court of Justice of the European Union withdrew from a bilateral agreement that has governed transmissions of personal data between companies in the EU and the US since the turn of the Millennium, citing “mass and indiscriminate surveillance and interception” of EU residents data by U.S. intelligence and law enforcement agencies. The decision follows an opinion on September 23, by Advocate General Yves Bot, that presaged much of the full Court’s final ruling.
The ruling was hailed by online privacy and civil liberties advocates, who saw it as a rebuke for the U.S. intelligence community’s wholesale spying.
“The spread of knowledge about the NSA’s surveillance programs has shaken the trust of customers in U.S. Internet companies… especially non-U.S. customers who have discovered how weak the legal protections over their data is under U.S. law,” wrote Danny O’Brien of The Electronic Frontier Foundation in the wake of the decision. “It should come as no surprise, then, that the European Court of Justice (CJEU) has decided that United States companies can no longer be automatically trusted with the personal data of Europeans.”
But the ruling has left businesses scrambling to find a way to replace the legal assurances that safe harbor offered.
“If this goes forward, it dramatically changes the architecture of a large number of industries and sectors,” said Chip Block, the Vice President of Evolver Inc., a 15 year-old Reston, Virginia firm that works with customers in the legal, government and commercial sectors. Block said the ruling will be felt across sectors, affecting firms as disparate as cloud services providers and medical device makers.
“This requires a major segmentation of EU data versus other worldwide data,” he wrote in an e-mail. That, in turn, will increase costs for firms and their customers by necessitating more data centers and data storage facilities in the EU. “International companies can no longer have worldwide data centers but will have to design to meet the new requirements,” he wrote.
Cloud services providers like Amazon.com, Google, Dropbox and others are likely to feel the pinch of the ruling most acutely, experts agreed.
[Read more Security Ledger coverage of issues related to safe harbor.]
“From a technology perspective, this hits the large cloud and data storage companies pretty hard as they cannot leverage their worldwide assets to create lower costs and faster service. The physical location of data becomes a factor in design and operational decisions,” Block wrote.
But the impact could be felt across EU economies, accentuating political and geographic splits in the Euro zone. “Even at the Macro level, if you just look at the EU, this decision runs against the general thrust of trying to harmonize and federalize Europe,” Tene said.
So what’s next? Tene of the IAPP said there are three main alternatives to safe harbor going forward.
The first is to replace the protections safe harbor offered with contracts that govern data exchanges on a site by site basis with EU member states. Tene said existing contracts of this sort already exist covering, for example, data transferred between Facebook servers in Ireland and the company’s servers and third-party data partners in the U.S.
Model contract clauses have been approved by the European Commission as one way that companies can safely and legally transfer personal data on EU residents outside of the European Economic Area, notes Gerry Grealish, the head of Cloud Data Security at the security firm Blue Coat.
Companies like Google have long relied on such mechanisms to allow Google Apps developers and others to stay on the right side of stringent EU data privacy laws. “Its basically an additional set of legalese that can be added as an addendum to your contract,” said Grealish.
But that kind of dealmaking is far more complex for firms in industries like financial services that might support thousands of affiliates across the globe. For that, contracts may be needed between national data protection authorities within EU member states. Such contracts would generically cover transfers between Internet nodes under their jurisdiction, Tene said.
Yet another option: keeping EU data in the EU. “You can work with cloud services based in Europe,” Tene said. “But that raises concerns about fragmentation and Balkanization of the Internet, which from its inception has confounded attempts to erect barriers to the free flow of information. “Any attempt to regulate cyber space is fraught with difficulties,” Tene said. “Laws are national, but the Internet is not, so there are inherent problems.”
Though momentous, the Court of Justice ruling on Safe Harbor was not unexpected. Experts have noted that the decision is in line with tougher EU data regulations that are set to be ratified next year. Those rules will likely include toothier enforcement of violations of privacy violations. In some instances, those could total up to 2% of a violating company’s annual turnover – a figure that reaches billions of dollars for large operators like Google, Microsoft or Amazon.com, Tene noted.
And where policy based fixes fail, technical fixes may be part of a solution. Grealish said Blue Coat sees an opportunity to help EU and US firms stay in compliance using its gateway appliances to use tokenization and other approaches selectively obfuscate sensitive and regulated data before it is transmitted outside of the EEA. F0r example, bank loan origination documents for EU residents might be transmitted to a service provider outside Europe for processing, but personal information on the residents would be obfuscated prior to it being transmitted, keeping the companies compliant with EU data privacy laws.
Given the revelations resulting from Edward Snowden’s leak, such technology approaches to protecting data are likely to be an important part of trans-national and transatlantic business operations even after a new Safe Harbor agreement is in place, he said.
In the short-term, however, businesses on both sides of the Atlantic are likely to struggle to deal with the aftermath of the Court ruling and the lack of a clear path forward on rules to replace the 15-year-old Safe Harbor agreement that was thrown out.
“I don’t think this decision is good news for EU businesses or even for European authorities,” said Tene. “I don’t think EU commission is happy about this decision at all.”