In retrospect, the Safe Harbor Framework was a disaster waiting to happen. Nevertheless, many UK companies bought into the idea and are now stuck with the prospect of sailing through unchartered waters to find a safer haven.
In 1998 the EU established a regulation prohibiting the transfer of personal data to non-European countries that did not adhere to EU standards, effectively making it illegal to store data on European customers in the United States. There was no way the United States Department of Commerce was going to take that laying down. So in 2000, the US Department of Commerce and the European Union came up with a compromise solution, called the “Safe Harbor” agreement, which consists of a set of guidelines for US companies to follow to adhere to EU laws regarding data privacy.
Under the agreement, American companies could “self-certify” – that is, they indicate that they follow the guidelines, and as a result, the US Department of Commerce adds the name of the company to their website. When a company self certifies they are making a public commitment to following the rules, and are therefore exposing themselves to laws against misrepresentation should they not follow the guidelines.
While over 5,000 companies have self-certified under the agreement, according to the independent consultancy Galexia, many of those companies never really followed the guidelines. It’s also worth noting that companies such as Amazon, Google, and Microsoft (all three of whom are on the list of companies supposedly following the agreement) have teams of lawyers who can get them off any misrepresentation charges with a slap on the wrist.
What’s more, as we now know, the Safe Harbor Framework doesn’t stand up in European court. Just this month, in the ruling Schrems v. Data Protection Authority, the court ruled that regardless of whether the companies are following the guidelines, the US public authorities are under no obligation to adhere to the agreement. Therefore, European companies that store personal data in the United States are acting illegally, even when they are doing business with US companies operating under the Safe Harbor Framework.
So what happens next?
The US Department of Commerce and the EU say they will come up with a revised agreement by January 2016. The trouble is, they will wind up with the same problem. The US public authorities will still be under no obligation to adhere to the agreement. As the EU Court put it in the ruling this month, “public interest and law enforcement requirements of the United States prevail over the safe harbor scheme”.
The best thing for UK companies to do is to keep their data out of the United States and to insist that all cloud providers they use in Europe do not outsource storage services to data centres the United States. For example, if you are using Amazon Web Services in Europe, make sure the contract states that at no time will data be stored at Amazon data centres in the United States.
It’s time for UK CIOs to find a safer place to dock their ships.