When the Apollo 13 astronauts had a problem, quick action was needed for the astronauts’ safety and success of the mission, as is often the case with space travel. Companies who handle data between the US and the EU are today realizing… “We have a problem.”
That problem is the obliteration of US-EU Safe Harbor. Safe Harbor is a framework that has helped U.S. companies deal with the requirements of European Union data privacy and protection mandates. The European Union has had requirements on the protection of personal data since 1995 via Directive 95/46/EC. The EC Directive on Data Protection enacted in October 1998 prohibited the transfer of personal data outside the EU if the country did not meet the adequate standards for privacy protection. The EU takes data privacy and protection seriously and expects any country receiving their data to do the same, for the U.S. this was Safe Harbor.
The U.S. Department of Commerce working with the European Commission in 2000 came up with the Safe Harbor framework as a way of reconciling US and EU data protection and privacy differences. Until today, companies could “self-certify” against the framework and operate under “Safe Harbor” with enforcement done in the U.S. under U.S. law. Data privacy and protection, data sovereignty and the exchange of data between the U.S. and the EU became a big issue on October 6, 2015. The European Court of Justice handed down a binding ruling that Safe Harbor is illegal. The press release from ECJ stated, “The Court of Justice declares that the Commission’s US Safe Harbor Decision in invalid.” No more Safe Harbor and no more self-certifying that companies are doing enough to provide adequate protections to meet EU mandates. Companies that were able to use Safe Harbor as a framework for data protection and meet EU directives, no longer have that option. The ECJ decision is effective today with no grace period, leaving companies exposed to potential legal risk. If companies want to completely comply, it likely means that they must examine what data they have from nations in the EU and begin moving the data to infrastructure housed in those nations or demonstrate that it is inaccessible if stored on infrastructure outside those nations via encryption or access controls. The risk to companies lies in how quickly enforcement or legal action is taken.
It used to be a bit easier to know on what servers and where your data was located. With the adoption of the cloud, this becomes a more difficult challenge. In what nation does my data reside and who has access to it? Safe Harbor allowed self-certification that adequate measures were being taken to protect data. With the adoption of the cloud AND the loss of safe harbor, companies face harsh requirements on the location and protection of data stored by them. The Cloud and SaaS already make it hard for companies to nail down the location of data (think national boundaries) and the loss of Safe Harbor strikes down the agreement that the U.S. had with the EU to essentially protect companies from the risk of lawsuits if they were not meeting strict EU data protection guidelines.
This problem will likely get more difficult for companies as individual EU countries strengthen and enforce mandates for data privacy and protection. With the ability to claim Safe Harbor obliterated, data protection policies must be strengthened in order to answer many questions. Who is accessing the data? Where are they located? How do you control the viewing of data outside specific national boundaries? And keep in mind the cloud-complication. Data sovereignty is going to become a much more familiar term to all companies who handle data, especially data that moves across national boundaries. Without Safe Harbor, companies do not have the option to self-certify against a framework of agreed upon measures, they must now meet the general EU requirements and potentially even individual EU nation-level data privacy laws or risk legal action or fines for failure to do so. For many companies, it is time to get to know data sovereignty.
What is data sovereignty? It is commonly defined as the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. Data sovereignty is going to require much richer capabilities to apply policy to data privacy and protection. This policy should include location-based boundary controls for data protection via encryption and role/location-based access control to ensure that data is only accessed in accordance with the laws and policies of the country in which it is located or originated.
The use of cloud and global data sharing has a new problem today and companies are going to have to address the data sovereignty problem and how to enforce policy-based data privacy and protection.