Don't panic, biz bods: A guide to data in the post-Safe Harbor world The Safe Harbor agreement this week suddenly became of interest to a lot more IT managers than had previously given a stuff about it. But what is Safe Harbor, exactly? The Safe Harbor agreement between the US and the EEA - which comprises the member states of the EU plus Iceland, Norway and Liechtenstein – dating from 2000, …
You got it in a nutshell
Point eight of the Data Protection Principles states
"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
The ECJ has said that the USA does not comply.
Point 9 of the checklist says
" If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?"
We know that the US authorities (NSA, FBI, etc) can demand access to any data held in the US, and that data holders such as Facebook. Microsoft, Apple etc will obey their masters, so the only way to protect this data is to use strong encryption and refuse to give the keys. This is illegal in the USA and they can try to extradite you from the UK if you try it. UK authorities have shown themselves happy to comply with similar extraditions.
I expect not much will happen until an activist like Max Schrems takes the next step and starts proceedings against the Data Protection Manager of one of these companies. A bit of jail time may focus their minds on the need to de-USA data storage.
That is the key point.
You can try to polish the turd with BCR's and Model Contract Clauses but you will still fall down on the article 8 (2) requirement.
The only way to get round that would be a change in US law to afford aliens more privacy rights than the locals or a change to FISA and the Patriot Act (amongst others) to add oversight and redress to the process.
Neither of those is a vote winner from a US perspective, can you imagine Donald Trumps reaction to "aliens" having more rights?
The issue is really that its the Data Controllers responsibility to ensure that the requirements are met which means not sticking data into the US until things change.
The big players got ready for this in advance with EU data centres etc its now upto the smaller players to get into a better position.
.. is that this is not a new problem. It's only become public that it is a problem. Anyone with a basic understanding of how Safe Harbor works and with a real desire to protect customer information would not have even considered hosting anything sensitive in the US.
The first lesson when dealing with something that has a massive political angle is that you ought to remain calm and not act too quickly. Think, observe and wait until the dust has settled - there is another verdict pending which will define just how unsafe your data is in the hands of a US provider (yes, unsafe, it has never been safe, irrespective of what they're trying to tell you). I would wait at least until the end of this month before finalising any migration plans.
thinks that this will be a hot topic to a few nerds in the IT/database world for a few weeks. Then some smart ass lawyer will come up with something that doesn't change anything at all but will allow everyone to go back to sleep. The company CEOs, etc, will-fully keeping their eyes shut tight while singing 'La-La' because they don't want to go through the bother of doing anything.
If someone complains, the answer will be 'sue us' (after being ignored for months). It will be up to a few individuals to do something - spending lots of money.
By the time it gets to court TiSA will be in force and muddy the whole issue - if not allowing anyone to do anything with anyone's data. If a government tries to stop them, the government will be sued under TiSA provisions.
The data protection registrar will remain quietly asleep.
This post has been deleted by its author
Last time I looked, the various EU intelligence services fell all over themselves setting up sharing arrangements of the 'take' with the NSA. So it's all your data belong to US. Your intelligence agencies need a muzzle just as much, if not more, than ours. What evil have we all wrought by merely doing nothing.
The EU data protection laws do not make a distinction of who the data subjects are. You should thus look after data about people from the USA as well as you would data about people in the EU.
This does raise an interesting point: since the USA is unsafe how much data about USA customers should you share with people in the USA. In particular if the FBI ask you for what a 'mercan has been up to, should you comply unless they get a court order in a UK court to compel you to ?
From https://ico.org.uk/media/for-organisations/documents/1529/assessing_adequacy_international_data_transfers.pdf
"Where the country (or territory) of origin of the information is outside the EEA it is important to remember that the DPA is not intended to provide a different level of protection for the data subjects rights than that provided by the data protection regime,if any, in the non-EEA country of origin."
so - let's take a hypothetical EU citizen (lets call her Angela). She uses Microsoft's servers in Ireland.
A court in the United States orders Microsoft to transfer data outside the EEA in the absence of a Safe Harbor Agreement, and without providing a valid warrant, under Irish law, for Angela's data.
How does that fit in with data protection? ;-)
Then Microsoft will be breaking the law in Ireland and will be prosecuted to the full power of the Irish DPA (a room above a chip shop) can bring against a massive US corporation who have a sweet deal with Irish government to keep their HQ there and pay bugger all tax
ie they will do nothing
Think about how this adds to the current case of Microsoft (yes Microsoft for all you MS haters on here) fighting the US government to protect their customers data stored in Ireland.
http://www.theguardian.com/technology/2015/sep/09/microsoft-court-case-hotmail-ireland-search-warrant
If MS lose that case, and they can't come up with a solution to the safe-harbour ruling, then they are probably going to witness the destruction of their overseas cloud business. I doubt they don't have a plan up their sleeves that would involve some kind of break-out of the cloud side of the business to "partners" established in each datacenter country. A bit like they do with Vianet in China. That way the data would be hosted by an in-country organisation that would be solely bound by that countries laws.
Potential outcomes of: "If MS lose that case"...
1/ The US govt legally (in the US) demands that MS hand over over the data.
2/ MS EU giving the data to the US govt is illegal (in Ireland and every other EU member state), since the data pertains to citizens of EU member states, and must respect EU privacy legislation.
3/ Any citizen of any EU member state can bring legal proceedings against MS EU if they comply with the US govt demand for the data.
4/ The US govt can bring legal proceedings against MS if they do not comply with the US govt demand for the data.
5/ MS get sued either way. They will probably go the way of least collateral damage.
6/ Watch as the US IT corporate world either a) goes into meltdown, b) comes up with a new legal arrangement for their offshore entities that disconnect themselves completely from US ownership, and thus avoid compliance with US law.
7/ Watch the backlash against the US govt from the marketplace.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
