Safe Harbor – there are many puns going around the European Court of Justice declaring it void, but let’s resist the temptation to add another one and focus on the practical ramifications.
The biggest consequence is that it is no longer legal to collect, process, and use personal data of E.U. citizens in the U.S. under the Safe Harbor program.
To gain a better understanding of the wider impact this has, a quick look at the basics of Data Protection Law is helpful.
What is Safe Harbor?
Safe Harbor stems from a decision of the European Commission in 2000. It states that American companies wanting to process personal data from the E.U. can register with the U.S. Department of Commerce and opt into a program where the companies voluntarily commit themselves to adhere to the seven principles of data protection (security, data integrity, etc.) and a set of 15 frequently asked questions.
Why is personal data protected?
This is due to the right of informational self-determination, which in turn derives from the universal right of personality.
That said, data protection essentially boils down to the following: No collection, processing and use of personal data is allowed unless 1), the data subject gives its consent, or 2), it is legally permitted. Both forms of permission are subject to data reduction and data economy.
Legal permission includes that processing may be allowed if it is necessary to process the data for one’s own commercial purposes. To avoid obtaining individual consent from the subjects, which can be revoked at any time, most businesses opt for this kind of permission.
In addition to the prerequisites mentioned above, an adequate level of data protection has to be ensured. Adequacy is determined by technical and organizational measures and is given within the E.U. and eight more countries (Andorra, Argentina, Australia, Faeroe Islands, Isle of Man, Canada, Guernsey, Jersey, Switzerland, and Uruguay).
Because the U.S. does not provide this kind of adequate level, as was outlined above, the European Commission and the U.S. entered the Safe Harbor agreement. Safe Harbor was thus intended to ensure an adequate level of data protection. However, it was a controversial measure right from the beginning, as the companies opting in only had to supply a self-declaration of compliance, and no external controls were required. Furthermore, important questions – such as pertaining to rules for the transfer of data outside of the U.S. to third countries – remained unanswered.
Resultantly, the European Court of Justice has declared Safe Harbor void, and American companies have to look for an alternative to provide an adequate level of data protection. Frequent choices include E.U. Standard Model Contract Clauses and so-called Binding Corporate Rules, both obliging the data processor to take appropriate technical and organizational measures to ensure an adequate level of data protection.
The shortfall with these approaches is that the European Court of Justice didn’t in fact declare Safe Harbor void because of the aforementioned criticisms (no controls, transfer etc.). Instead, the European Court of Justice stated that the personal data is not protected from access by public authorities such as intelligence services (NSA, FBI, CIA, etc.), and that there is no way for the individual data subjects to object against their access rights. Assuming that the competencies of the public authorities will not be restricted in the foreseeable future, the US cannot provide an adequate level of data protection at all.
The consequence of this is that no European personal data can be processed in the U.S. today. The question is, what else is there that American companies can do to process European personal data? For one, they could move the servers containing the data to European-
However, what is the definition of personal data? “’Personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural, or social identity.” (EU Directive 95/46/EC)
Safe Harbor – there are many puns going around the European Court of Justice declaring it void, but let’s resist the temptation to add
another one and focus on the practical ramifications.
based data centers. However, even then it is highly questionable whether this ensures an adequate level of data protection, as a New York State court recently ruled that American companies are obliged to surrender data stored on servers located in Europe.
Regardless of such considerations, however, the main issue does not lie in American companies being liable for adherence to European data protection laws. Instead, the responsibility lies with the data controllers themselves: the European companies that collect, process, and use the personal data. It is them who have to choose a suitable data processor – a data processor that can provide an adequate level of data protection. Even though the Article 29 Working Party has given the European Commission until the end of January 2016 to find a solution, national data protection authorities have already in- dicated that they will take firm action in response to complaints, and that they will interpret the Safe Harbor decision very strictly.
To avoid public attention or even fines by national authorities, the best strategy at the moment is to cooperate with European storage companies who are accountable solely to European Authorities and who provide an adequate level of data protection – in Europe.
Using the iECM Doxis4 Suite organisations can ensure that information, including personal data, is exchanged securely and in compliance with data protection regulations. This is because the SER solution provides effective protective mechanisms and highly secure encryption technologies for the archiving and storage of organisational data and documents.
Doxis4 thereby ensures that data can be encrypted in a process of asynchronous replication to the cloud. Prior to being transferred, the content is en- coded at the local data centre with a secure AES-256 key specific to the organisation concerned. As a result, the information is not subject to statutory data protection regulations and cannot be read by the cloud operator
To avoid becoming dependent on particular external providers, this scenario excludes the possibility of a “cloud vendor lock-in”, as Doxis4 is can replicate the content subsequently even if a different cloud provider is used. The same process also takes place with the locally stored documents, avoiding any need for the content of those documents to be recreated by the previous cloud provider.