Unsafe Harbor? Data Privacy and Security Post Safe Harbor

Author: Bob Muglia

Cloud Data Security, Market News

On October 6th, the European Court of Justice declared the Safe Harbor structure to be invalid. Since its establishment in 2000, Safe Harbor has provided a simple, legal mechanism to transfer Personal Data outside of Europe to data centers located in the United States. Safe Harbor as we’ve known it is gone forever and European regulators have indicated that they plan to begin strict enforcement of this at the end of January. This news is leaving many American companies reeling.

There is a scramble within political bodies to find a solution for this and to establish new regulation, but given the differences in U.S. and European privacy laws it is highly unlikely that a Safe Harbor replacement will be created before the January deadline. Perhaps the deadline will be extended, but given the definitive nature of the ruling it seems unwise to count on that.

Some companies are looking at an alternative structure called Model Clauses to replace Safe Harbor. Our analysis of this structure is that it is cumbersome at best, and in the long-term Model Clauses may be overturned by a future European court ruling as they do not address the fundamental differences in privacy policy between Europe and the U.S.

Unlike Safe Harbor, Model Clauses are a contract between organizations that have access to Personal Data. The challenge is that these clauses require agreement by all parties involved – the company providing the service, the recipient of the service, and all subcontractors that process the Personal Data. Although Model Clauses are generally standardized, they need to be individually negotiated. In some cases, Model Clauses require individual registration within the jurisdiction where the Personal Data is collected, often the home country of the relevant European citizen. Beyond these complexities, Model Clauses could be challenged in court so this messy solution may be temporary at best.

So what is the answer if your business relies on processing European Personal Data in the United States? Snowflake’s recommendation is to leave the Personal Data in Europe. If it is feasible to perform all data processing in Europe, that will solve your European Personal Data problem. But duplicating your entire application stack in Europe is impractical for some companies. The alternative is a hybrid solution. If it is preferable to perform some processing in the U.S., your best option is to create a mapping within your European data center between the Personal Data and a unique ID. As long as that unique ID is anonymized and does not contain any descriptive information about the user, it can be sent safely over to the U.S. If further actions that require Personal Data need to be performed (for example, sending an email to the user), the ID’s must be sent back to Europe and those steps must be performed on European soil.

While an anonymized ID can be safely sent to the U.S., descriptive information about that ID may render it identifiable and as such, it would be considered Personal Data under European law. These rules vary by European country so, for example, associating an ID with gender, location, and age would be considered identifiable by French law and thus this information cannot be sent to the U.S. While the approach of sending only anonymized ID’s to the U.S. is generally safe, the details are important so you need to validate your solution with legal council experienced in European privacy law.

Of course, keeping Personal Data outside the U.S. means establishing some form of data center footprint within Europe. Fortunately, this is much easier because of the prevalence of cloud services. And while the approach of leaving Personal Data within Europe adds complexity to a solution, this complexity appears to be more manageable than the legal quagmire of Safe Harbor alternatives.

There is a reasonable argument that storing data within a sovereign nation is no longer a sound basis for privacy protection. In today’s connected world, every time a European citizen travels abroad, their Personal Data moves with them and thus is potentially vulnerable. Snowflake believes in pervasive use of strong data encryption to protect data. In the long-term, we feel that thoughtful, encryption-based privacy laws can replace today’s antiquated policies which rely on the location of data storage.

However, the reality is that government policy moves much slower than technology, and it will be quite some time before these laws are updated to reflect the reality of today’s world. Until then, the only thing we can do is abide by the laws of individual countries. For now, the only truly safe harbor for European Personal Data is to leave that data in Europe.

Bob Muglia
CEO, Snowflake Computing