Category Archives: Safe Harbour

data protection, European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

EU moves forward with Privacy Shield despite EDPS warning

Europe US court of justiceThe European Commission has announced it will continue ahead with the EU-US Privacy Shield despite the European Data Protection Supervisor claiming the pact is not robust enough, reports Telecoms.com.

Since Safe Harbour was struck down by the European Court of Justice last year, the industry has been in limbo as politicians were unable to draft an agreement between the US and EU, which met the criteria for data protection in the European market. In May, European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance, believing the pact would not be strong enough to stand up.

“Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows,” said Vice-President Andrus Ansip and Commissioner Věra Jourová in a joint statement. “This paves the way for the formal adoption of the legal texts and for getting the EU-U.S. Privacy Shield up and running. The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.”

Despite the European Commission pushing forward with the draft, there have been a number of individuals and parties within the EU who have criticised the agreement. For some, the EU-US Privacy Shield is simply a reheated Safe Harbour, with very little to address the concerns of the original agreement.

Article 29 Working Group is another influential group has highlighted to the industry the pact has made progress, though it did identify a number of shortcomings when looking at mass surveillance and oversight. The new agreement does encourage organizations to be more considered and conservative when sharing data with US, however critics of the new agreement have claimed there are still too many exceptions where the US and its intelligence agencies can move around the agreement. Despite the concerns, the European Commission has ploughed ahead.

On the other side of the argument, Microsoft has somewhat unsurprisingly confirmed its support of the pact, though it has stated it should go further. In any case, a large vendor expressing its support for an agreement which would enable the organization to do more business in Europe should not be met with astonishment.

“It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” said the announcement. “For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”

“And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms. During the formal adoption process, the Commission has consulted as broadly as possible taking on board the input of key stakeholders, notably the independent data protection authorities and the European Parliament. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today’s vote by the Member States is a strong sign of confidence.”

It would appear the European Commission is moving forward to demonstrate to the industry progress is being made, though could be seen as a flimsy approach. With the concerns expressed by influential and respected bodies within the industry, it should not be seen as a surprise if the agreement is struck down once again by the European Court of Justice.

Cloud computing, data protection, data residency, EU-US Privacy Shield, European Commissio, News & Analysis, Policy and Regulation, Safe Harbour

EU-US privacy debate continues as EDPS says try again

EuropeOn-going efforts to provide clarity and guidance on transatlantic data transmission are unlikely to be seen soon as the European Data Protection Supervisor (EDPS) has outlined concerns over the robustness of the Safe Harbour successor, EU-US Privacy Shield.

European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court,” said Buttarelli. “Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

This is in fact the second time in a matter of months an official body has expressed concerns over the EU-US Privacy Shield, as the Article 29 Working Group voiced its concerns over the mass surveillance and oversight shortcomings that it believes are found in the pact. Back in April, WP29 commented Privacy Shield had made progress but still hadn’t covered the cracks which had Safe Harbour kicked out last year.

“The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU,” said the WP29 group in its official opinion at the time.

The new Privacy Shield agreement does in fact encourage European businesses and organizations to be more considered and conservative when sharing data with US entities, however critics of the new agreement have highlighted there are still too many exceptions where the US and its intelligence agencies can move around the agreement.

While the opinion of the WP29 is respected throughout the industry, it was not a concrete sign that anything within the Privacy agreement will change. This is the same for the EDPS. There are no guarantees the agreement will be changed following Buttarelli making his opinion public, though it may be a good indicator as to what need to be done to ensure the pact stands up to scrutiny under the spotlight from the European Court of Justice. This is certainly the case for David Mount, Director of Security Solutions at Micro Focus.

“Buttarelli talks of a need for significant improvements before the agreement can be viable, which raises a key point around the self-certification aspects of Safe Harbour as it once was,” said Mount. “In the past, businesses could self-certify as compliant with Safe Harbour by simply ticking a box. But this does not create a transparent and trusting climate – in fact it does the very opposite, as is the case in any self-regulated environment.

Twitter comments“Any new agreement must be more robust, as per Buttarelli’s comments, and addressing the key issue of self-certification would be a significant step. It will be interesting to see how the EU Commission responds to the EDPS and how negotiations will continue to address the varying issues of self-certification and trust.”

Support for the agreement has been mixed as some European corners have voiced concerns, and some US opinions have been relatively positive, though this may be considered unsurprising. MEP Jan Philipp Albrecht and Edward Snowden were two who demonstrated a critical stance (see accompanying picture), while Microsoft become one of the first major US tech companies to confirm its support of the EU-US Privacy Shield.

Back in April, John Frank, Vice President EU Government Affairs at Microsoft said “we recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved.”

Although Microsoft has demonstrated a desire to bring the issue to an end, it has also found itself on the wrong side of data requests from the US government, proving it’s no push over. The company has been involved in a drawn out lawsuit, as Microsoft has refused the US government access to data which is has stored in its Dublin data centre, telling the government it “must respect the sovereignty of other countries”.

The company has also filed a lawsuit against the US government and its associated agencies, arguing the right that customers should have the right to know when the state accesses their emails or records, as well as creating the Data Trustee model. The Data Trustee model is seemingly an effort to rebuild trust in the US business, as it hands control of its data over to a European company, in this case Deutsche Telekom, who have to give consent for a Microsoft employee to access the data.

“Businesses have already started looking to alternatives for legitimate data transfers out of the EU in case the Privacy Shield option, once formally adopted, should be taken away,” said Deema Freij, Global Privacy Officer at Intralinks. “For example, Binding Corporate Rules and EU Model Clauses are still seen as strong alternatives. Businesses have been switching to EU Model Clauses to transfer personal data to the US, which they can continue to do on an ongoing basis.

“The responsibility for businesses is only going to increase when the General Data Protection Regulation (GDPR) comes into full effect in May 2018. The next two years will be a huge test for organisations across the world as they begin to realise that data sharing practices will continue to fall under close scrutiny as the concept of data privacy evolves further.”

The EU-US Privacy Shield has made progress in addressing the concerns voiced by European citizens, companies and legislative bodies in recent months, though it is unlikely to be the final answer. In three months, two separate, independent and widely respected opinions have highlighted the short-comings of the agreement, which doesn’t inspire a huge level of confidence. How the Privacy Shield creators react to the opinion is yet to be seen, though it could be one of the deciding factors on how long the transatlantic data transmission argument continues.

European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

Privacy Shield data agreement dismissed as ‘reheated Safe Harbour’

Europe US court of justiceThe new framework for transatlantic data flows proposed by legislators for the European Commission has had a mixed reaction from the cloud industry.

The EU-US Privacy Shield agreement over data transfer replaces the 15 year arrangement that was voided by the Court of Justice of the European Union in October. The new arrangement has to meet official approval from all 28 member states of the European Union. If it does both sides will finalise the details of the new pact in the next fortnight and the agreement could come into effect in April.

The foundation of the agreement is that American intelligence agencies will no longer have indiscriminate access to Europeans’ data when it is stored in the US. EC Commissioner Vera Jourová claimed that Europeans can now be sure their personal data is fully protected and that the EC will closely monitor the new arrangement to make sure it keeps delivering.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said Jourová, who promised that EU citizens will benefit from redress if violations occur. “The US has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” said Jourová.

Whether the decision really will build a Digital Single Market in the EU, a trusted environment and closer partnership with the US remains a moot point among cloud industry experts.

Approval of the arrangement cannot be taken for granted, according to a speaker for The Greens and the European Free Alliance. “This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision. The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision,” said Green home affairs and data protection spokesperson Jan Philipp Albrecht. The proposal creates no legally binding improvements and the authorities must make clear that this ‘legally dubious declaration’ will not stand said Albrecht.

The EU/US data sharing deal won’t stop surveillance, according to former Whitehouse security advisor French Caldwell. As a Gartner research VP, Caldwell once advised on national and cyber security and led the first ever cyber wargame, Digital Pearl Harbor. As the new chief evangelist at software vendor MetricStream, Caldwell said there were many flaws in the logic of the agreement.

“The legal definitions of personal data are so antiquated that, even if that data covered under privacy law is protected, there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing that which is considered legally protected,” said Caldwell.

Privacy protections have evolved significantly in the US, Caldwell said, and US authorities are much more aggressive than EU authorities in penalising companies that don’t follow privacy policies. “It is hard to discount nationalism and trade protectionism as underlying motivations [for European legislation],” said Caldwell.

It should alarm cloud customers to see how little has been done to give assurance of their privacy, said Richard Davies, CEO of UK based ElasticHosts. “This gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data.” Customers with servers with US companies in the EU are likely to move their data to non-US providers to minimize risk, Davies said.

Businesses will need to be much more involved with where their information exists and how it is stored. Until details emerge of the new privacy shield, many European companies wont want to risk putting data on US servers, warned Ian Wood, Senior Director Global Solutions.

However, this could be a business opportunity for the cloud industry to come up with a solution, according to one commentator. The need for transparency and accountability calls for new data management skills, according to Richard Shaw, senior director of field technical operations at converged data platform provider MapR.

“Meeting EU data privacy standards is challenging at the best of times, let alone when the goal posts are constantly being moved,” said Shaw. The only way to give the US authorities the information they demand, while complying with regulations, is to automate governance processes around management, control and analysis of data, Shaw said.

Would the Privacy Shield and the attendant levels of new management affect performance?

Dave Allen, General Counsel at Internet performance specialist Dyn said regional data centres are a start but that the data residence perspective is incomplete at best and give a false sense of confidence that the myriad of regulations is properly addressed.

“Businesses will now need to understand the precise paths that their data travels down, which will be a more complex problem given the amount of cross-border routing of data across several sovereign states. Having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework,” said Allen.

Cooley, Data security, Opinion, Policy and Regulation, Safe Harbour

Can Safe Harbour stay afloat?

When the European Court of Justice declared the US-EU Safe Harbour framework invalid in the case of Schrems v Data Protection Commissioner, some 4,500 companies began to panic. Many are still struggling to decide what to do: should they implement an alternative method of transferring personal data from the EEA to the US, or should they simply wait to see what happens next?

Waiting is a risky game, as the European data protection authorities’ (DPAs) grace period extends only until January 31 2016, by which time companies must have their cross-Atlantic data transfers in order. After this date, enforcement action may be taken against those transferring personal data without a suitable mechanism in place to ensure adequate protections to personal data. Although the slow churning of US and EU authorities negotiating a replacement for Safe Harbour can be heard in the distance, no timeline has yet been set for its implementation. There is also the added complication of the newly approved EU General Data Protection Regulation, which is likely to muddy the waters of an already murky negotiation.

Will Safe Harbour 2.0 come to the rescue?

According to the European Commissioner for Justice, Consumers and Gender Equality (the Commissioner), the negotiations on ‘Safe Harbour 2’ continue, undoubtedly under added pressure following the invalidation of the original Safe Harbour framework. Whilst both sides understand the sense of urgency, no proposal has yet met the needs of both the national security services and the European DPAs.

In Autumn 2013, the European Commission created a report providing 13 recommendations for improving Safe Harbour Number 13 required that the Safe Harbour national security exception is used only to an extent that is strictly necessary. This recommendation remains a sticking point in negotiations. Human rights and privacy organisations have little hope that these hurdles will be effectively overcome: In November 2015, a letter was sent to the Commissioner from EU and US NGOs, urging politicians to commit to a comprehensive modernisation of data protection laws on both sides of the Atlantic.

Of course, the real bridge to cross is on US law reform, which the Commissioner sees as more about guaranteeing EU rules in the US than changing US law. It seems the ball is very much in the North American court.

Do not, however, be fooled by the House of Representatives passing the Judicial Redress Act, which allows foreign citizens to bring legal suits in the US for alleged violations of their privacy rights. Reform is not easy, and it is now for the Senate to decide whether to follow suit, or to find a way to water down the Act. The govtrack.us website which follows the progress of bills through Capitol Hill gives the act a 22% chance of success. With odds like these, maybe we shouldn’t bet on cross-Atlantic privacy reform in the immediate future

The future of global surveillance

Whilst there have been positive noises coming from the White House regarding the privacy rights of non-Americans, it is unlikely in a post-9/11 world that any government will allow itself to be prevented from accessing data of either its own or foreign nationals.

In light of recent terror attacks all over the world, the Snowden debate is more relevant than ever. How far should government intelligence agencies go towards monitoring communications? Snowden forced governments to think twice about their surveillance practices, but recent attacks may have the opposite effect. Although their so-called ‘snooping’ may breach citizens’ fundamental rights, it may be more a question of how many civil liberties citizens are willing to exchange for safety and security.

The British Government has suggested that fast-track aggressive surveillance proposals (dubbed ‘the Snoopers’ Charter’) are the way forward in helping prevent acts of terror. This new emphasis on drones and cyber-experts marks a big shift from 2010’s strategic defence review. This is a war fought online and across borders and one cannot ignore the context of Safe Harbour here.

The implications on global e-commerce

Hindering cross-border data transfer impedes e-commerce and can potentially causes huge industries to collapse. By 2017, over 45 percent of the world is expected to be engaging in online commerce. A clear path across the Atlantic is essential.

The Information Technology and Innovation Foundation put it bluntly in stating that, aside from taking an axe to the undersea fibre optic cables connecting Europe to the US, it is hard to imagine a more disruptive action to transatlantic digital commerce than a stalemate on data transfer– a global solution must be reached, and soon.

The future of global cross-border data transfer

Time is running out on the Safe Harbour negotiations, and creating frameworks such as this is not simple – especially when those negotiating are starting so far apart and one side (the EU) does not speak with a unified voice.

Most of the 28 European Member States have individual national DPAs, not all of whom agree on the overall approach to reform. If the DPAs could speak in one voice, there could be greater cooperation with the Federal Trade Commission, which could hasten agreements on suitable frameworks for cross-Atlantic data transfers. In the US, much will come down to the law makers and, with an election brewing, it is worth considering the different scenarios.

Even though the two main parties in the US stand at polar ends of the spectrum on many policies, they may not be so distant when it comes to global surveillance. In the wake of the Snowden revelations, Hilary Clinton defended US global surveillance practices. The Republican Party has also been seen in favour of increased surveillance on certain target groups. The question remains: if either party, when elected, is happy to continue with the current surveillance programme, how will the US find common ground with the EU?

Conclusion

Europe seems prepared to act alone in protecting the interests of EU citizens, and the CJEU’s decision in Schrems was a bold and unexpected move on the court’s part. However, with the ever increasing threat to EU citizens’ lives through organised terror, the pressure may be mounting on the EU to relax its stance on data privacy, which could mean that finding common ground with the US may not be so difficult after all. We shall have to wait and see how the US-EU negotiations on Safe Harbour 2 evolve, and whether the European Commission will stand firm and require the US to meet its ‘equivalent’ standard.

 

Written by Sarah Pearce, Partner & Jane Elphick, Associate at Cooley (UK) LLP.

Datacentre, News & Analysis, Safe Harbour, Skyhigh Networks

Skyhigh Networks opens European data centre to resolve Safe Harbour fears

datacentreCloud security vendor Skyhigh Networks has opened a new data centre in Germany as it moves to strengthen its support of European customers and multi-nationals.

The Frankfurt facility is a response to increasing demand for data localisation within Europe, which has been stoked by the recent Safe Harbour ruling by the European Court of Justices.

In October BCN reported how a Court of Justice of the European Union (CREU) ruling puts many companies at risk of prosecution by European privacy regulators if they transfer the data of EU citizen’s to the US without a demonstrable set of privacy safeguards.

The 4,000 firms that transfer their clients’ personal data to the United States currently have no means of demonstrating compliance to EC privacy regulations. As the legal situation currently stands, EU data protection law says companies cannot transfer EU citizens’ personal data to countries outside the EU which have insufficient privacy safeguards.

The new data centre will use a Hadoop cluster to analyse traffic analysis and identify and report on the risk of cloud services. It will provide interception, inspection, encryption and decryption services. The system will also run anomaly detection, reporting and data leak prevention services to secure SkyHigh’s clients’ cloud services.

SkyHigh said the new data centre gives customers a choice over where their data is processed and better performance in addition to privacy and sovereignty. The data centre is on a site owned and managed by European employees.

“We are delighted that Skyhigh Networks has opened a data centre in Europe,” said David Cahill, Security Strategy and Architecture Manager at AIB, a bank with 2.6 million customers and 14,000 employees. Cahill said that conforming to existing European data protection laws and the General Data Protection Regulation expected in 2016 need to be taken “very seriously”.

Europe, News & Analysis, Policy and Regulation, Safe Harbour

EC calls for Safer Harbour agreement – issues new guidance

The European Commission has issued new guidance to companies on transatlantic data transfers and has called for a rapid creation of a new framework.

In October BCN reported how a ruling on the case of Schrems vs Data Protection Commissioner) rendered the US-EU Safe Harbour Agreement invalid as it was revealed that EU citizen’s data was being accessed by the US National Security Agency (NSA).

The Commission said it has stepped up talks with US authorities on a new framework and issued guidance to help companies comply with the ruling and work with alternative transfer tools.

“We need an agreement with our US partners in the next three months,” said EV VP Andrus Ansip, who is responsible for the Digital Single Market. “The Commission has been asked to take swift action: this is what we are doing. Today we provide clear guidelines and we commit to a clear timeframe to conclude current negotiations.”

“Citizens need robust safeguards of their fundamental rights and businesses need clarity in the transition period,” said Commissioner Vera Jourová, adding that 4,000 companies currently rely on the transatlantic data pact.

The EC guidelines advised on how data transfers can continue to be pursued by businesses in the interim period. It covers issues such as contractual solutions and contractual rules, binding Corporate Rules for intra-group transfers, derogations and the conclusion or performance of a contract. The guideline document, which is 7,981 words long, runs to 16 pages of challenging reading and is open to interpretation.

“As confirmed by the Article 29 Working Party, alternative tools authorising data flows can

still be used by companies for lawful data transfers to third countries like the United States,” concludes the guidance document. “However, the Commission considers that a renewed and sound framework for transfers of personal data to the United States remains a key priority.”

Enforcement against non-compliance with the Safe Harbour court ruling come into place at the end of January 2016.

CISA, data protection, News & Analysis, Policy and Regulation, Safe Harbour

Opinion divided on impact of CISA ruling on Safe Harbour

Open DataThe new US Cybersecurity Information Sharing Act (CISA), passed in the US Senate on Tuesday, has made it even harder for data sharing between the US and EU, according to critics.

However, attitudes to data sovereignty and the institution of a new Safe Harbour agreement seem to be polarising across both sides of the Atlantic.

Former White House cyber security advisor French Caldwell, chief evangelist at GRC software company MetricStream, said he recognised the ‘libertarian’ argument but that those at the front line in the IT industry have a more realistic grasp of the immediate issues. “Libertarians are strongly opposed and it’s easy to sympathise with that position. Once the door opens to information sharing, the arrangement might go from voluntary to mandatory over time,” said Caldwell.

However, security people on the ‘front lines’, at banks, electrical utilities, energy companies and hospitals, are fighting a war, he said. “Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are probing for weakness. These cyberattacks amount to cyberwar,” said Caldwell.

The significant privacy protections in the CISA legislation will provide protections from anti-trust rules. Better still, it would bring data holders into a protective information sharing culture with federal agencies, he argued.

However, a UK counterpart saw the CISA ruling differently. “This is bad news. Just as the EU makes it clear that it’s a serious problem if security agencies get easy access to personal data, the US Government makes it even easier for this snooping to happen,” said Mike Weston, CEO of data science consultancy Profusion.

The Cybersecurity Information Sharing Act will make it significantly harder for the US and Europe to agree a replacement for the collapsed Safe Harbour provisions, according to Weston. “Without assurances that European citizens’ personal data is protected, it’s hard to see how such an agreement might be reached. The biggest stumbling block is that while US citizens are afforded some protection by the USA Freedom Act, none applies to citizens of other nations.”

In a Microsoft blog posting its chief legal office Brad Smith called on the US government to respect European Union privacy laws for transatlantic personal data in the post-Safe Harbour era.

The note describes privacy as a ‘fundamental human right’ and urges the US government to commit to only accessing private information stored in the United States about EU citizens in a manner that ‘conforms with EU law, and vice versa’.

data proteciton, Datacentre, European Commission, News & Analysis, Safe Harbour

EC/US have three months to find a new Safe Harbour

The European Commission (EC) and the US are under pressure to come up with a new replacement system for the recently invalidated Safe Harbour agreement.

A statement from EU advisory body The Article 29 Working Party on the Protection of Individuals, has given those affected by the ruling three months to devise a new system.

However, the US and the EC have previously worked for two years without success to reform the Safe Harbour agreement. The reforms were made necessary after US government surveillance programmes were revealed by National Security Agency (NSA) whistle blower Edward Snowden. However, despite co-operation, for two years progress stalled as the US couldn’t guarantee limits on access to personal data.

“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions,” said the statement issued.

Following Court of Justice of the European Union (CREU) ruling on October 6th, many companies risk being prosecuted by European privacy regulators if they transfer the data of EU citizen’s to the US without a demonstrable set of privacy safeguards.

The 4,000 firms that transfer their clients’ personal data to the United States currently have no means of demonstrating compliance to EC privacy regulations. As the legal situation currently stands, EU data protection law says companies cannot transfer EU citizens’ personal data to countries outside the EU which have insufficient privacy safeguards.

EU data protection authorities, meeting in Brussels to assess the implications of the ruling, said in a statement that they would assess the impact of the judgment on other data transfer systems, such as binding corporate rules and model clauses between companies.

The regulators said in their statement the EU and the United States should negotiate an “intergovernmental agreement” providing stronger privacy guarantees to EU citizens, including oversight on government access to data and legal redress mechanisms.

Multinationals can still set up internal privacy rules for US data transfers, to be approved by regulators but these so called ‘binding corporate rules’ are only used by 70 companies. All alternative data transfer systems could now also be at risk of a legal challenge, say lawyers. “The good news is that the European data protection authorities have agreed on a kind of grace period until the end of January,” said Monika Kuschewsky, a lawyer at Covington & Burling.

AWS, Big Data, Cloud South East Asia, News & Analysis, Policy and Regulation, Safe Harbour

AWS: examine fine print in data transfer legislation

In a week that has seen the European Court of Justice rule that the Safe Harbour agreement on data transfer as invalid, the significance of data transfer legislation in South East Asia has been under discussion at Cloud South East Asia.

Answering audience questions following his Cloud South East Asia keynote this morning, Blair Layton, Head of Database Services for Amazon Web Services, argued that some of the legislation against data transfer was not always as cast-iron as they appear.

Acknowledging that such legal concerns were indeed “very legitimate,” and that there were certainly countries with stringent legal provisions that formed an obvious barrier to the adoption of cloud services such as Amazon Web Services, Layton none the less stressed that it was always worth examining the relevant legislation “in more detail.”

“What we’ve found in some countries is that, even though the high level statement might be that data has to reside in one country, what you find in the fine print is that it actually says, ‘if you inform users then it is fine to move the data,”’ he told delegates. “Also, that for sensitive data you think you may not be able to move – because of company controls, board level concerns etc. – we can have many discussions about that. For instance, if you just want to move data for back-up and recovery, you can encrypt that on the premise, maintain the keys on premise, and shift that into the cloud for storage.”

In the same session, Layton, when not extolling the impressive scope and effectiveness of Amazon Web Services in the South East Asian region and beyond, discussed other reasons for the arguable disparity between the evident regional interest in cloud services, and the actual uptake of them.

“There are in different cultures in different countries, and they have different levels of interest in technology. For example, you’ll see that…. people in Singapore are very conservative compared to the Taiwanese In other countries their IT is not as mature and they’re not as willing to try new things and that’s simply cultural.”

Data, Europe, Facebook, News & Analysis, Policy and Regulation, Safe Harbour

Cloud industry shaken by European Safe Harbour ruling

Europe US court of justiceThe Court of Justice of the European Union has ruled the Safe Harbour agreement between Europe and the US, which provides blanket permission for data transfer between the two, is invalid.

Companies looking to move data from Europe to the US will now need to negotiate specific rules of engagement with each country, which is likely to have a significant impact on all businesses, but especially those heavily reliant on the cloud.

The ruling came about after Austrian privacy campaigner Max Schrems asked to find out what data Facebook was passing on to US intelligence agencies in the wake of the Snowden revelations. When his request was declined on the grounds that the safe harbour agreement guaranteed his protection he contested the decision and it was referred to the Court of Justice.

This decision had been anticipated, and on top of any legal contingencies already made large players such as Facebook, Google and Amazon are offered some protection by the fact that they have datacentres within Europe. However the legal and logistical strain will be felt by all, especially smaller companies that rely on US-based cloud players.

“The ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy,” said Matthew Fell, CBI Director for Competitive Markets. “Businesses will want to see clarity on the immediate implications of the ECJ’s decision, together with fast action from the Commission to agree a new framework. Getting this right will be important to the future of Europe’s digital agenda, as well as doing business with our largest trading partner.”

“The ruling invalidating Safe Harbour is seismic,” said Andy Hardy, EMEA MD at Code42, which recently secured $85 million in Series B funding. “This decision will affect big businesses as well as small ones. But it need not be the end of business as we know it, in terms of data handling. What businesses need to do now is safeguard data. They need to find solutions that keep their, and their customer’s, data private – even when backed up into public cloud.”

“Symantec respects the decision of the EU Court of Justice,” said Ilias Chantzos, Senior Director of Government Affairs EMEA at Symantec. “However, we encourage further discussion in order to create a strengthened agreement with the safeguards expected by the EU Court of Justice. We believe that the recent ruling will create considerable disruption and uncertainty for those companies that have relied solely on Safe Harbour as a means of transferring data to the United States.”

“The issues are highly complex, and there are real tensions between the need for international trade, and ensuring European citizen data is treated safely and in accordance with data protection law,” said Nicky Stewart, commercial director of Skyscape Cloud Services. “We would urge potential cloud consumers not to use this ruling as a reason not to adopt cloud. There are very many European cloud providers which operate solely within the bounds of the European Union, or even within a single jurisdiction within Europe, therefore the complex challenges of the Safe Harbor agreement simply don’t apply.”

These were just some of the views offered to BCN as soon as the ruling was announced and the public hand-wringing is likely to continue for some time. From a business cloud perspective one man’s problem is another’s opportunity and companies will be queuing up to offer localised cloud services, encryption solutions, etc. In announcing a couple of new European datacentres today Netsuite was already making reference to the ruling. This seems like a positive step for privacy but only time will tell what it means for the cloud industry.