European Commission, News & Analysis, Policy and Regulation, Privacy Shield, Safe Harbour

Privacy Shield data agreement dismissed as ‘reheated Safe Harbour’

Europe US court of justiceThe new framework for transatlantic data flows proposed by legislators for the European Commission has had a mixed reaction from the cloud industry.

The EU-US Privacy Shield agreement over data transfer replaces the 15 year arrangement that was voided by the Court of Justice of the European Union in October. The new arrangement has to meet official approval from all 28 member states of the European Union. If it does both sides will finalise the details of the new pact in the next fortnight and the agreement could come into effect in April.

The foundation of the agreement is that American intelligence agencies will no longer have indiscriminate access to Europeans’ data when it is stored in the US. EC Commissioner Vera Jourová claimed that Europeans can now be sure their personal data is fully protected and that the EC will closely monitor the new arrangement to make sure it keeps delivering.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” said Jourová, who promised that EU citizens will benefit from redress if violations occur. “The US has assured that it does not conduct mass or indiscriminate surveillance of Europeans,” said Jourová.

Whether the decision really will build a Digital Single Market in the EU, a trusted environment and closer partnership with the US remains a moot point among cloud industry experts.

Approval of the arrangement cannot be taken for granted, according to a speaker for The Greens and the European Free Alliance. “This new framework amounts to little more than a reheated serving of the pre-existing Safe Harbour decision. The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbour illegal, as well as to citizens across Europe, whose rights are undermined by the decision,” said Green home affairs and data protection spokesperson Jan Philipp Albrecht. The proposal creates no legally binding improvements and the authorities must make clear that this ‘legally dubious declaration’ will not stand said Albrecht.

The EU/US data sharing deal won’t stop surveillance, according to former Whitehouse security advisor French Caldwell. As a Gartner research VP, Caldwell once advised on national and cyber security and led the first ever cyber wargame, Digital Pearl Harbor. As the new chief evangelist at software vendor MetricStream, Caldwell said there were many flaws in the logic of the agreement.

“The legal definitions of personal data are so antiquated that, even if that data covered under privacy law is protected, there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing that which is considered legally protected,” said Caldwell.

Privacy protections have evolved significantly in the US, Caldwell said, and US authorities are much more aggressive than EU authorities in penalising companies that don’t follow privacy policies. “It is hard to discount nationalism and trade protectionism as underlying motivations [for European legislation],” said Caldwell.

It should alarm cloud customers to see how little has been done to give assurance of their privacy, said Richard Davies, CEO of UK based ElasticHosts. “This gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data.” Customers with servers with US companies in the EU are likely to move their data to non-US providers to minimize risk, Davies said.

Businesses will need to be much more involved with where their information exists and how it is stored. Until details emerge of the new privacy shield, many European companies wont want to risk putting data on US servers, warned Ian Wood, Senior Director Global Solutions.

However, this could be a business opportunity for the cloud industry to come up with a solution, according to one commentator. The need for transparency and accountability calls for new data management skills, according to Richard Shaw, senior director of field technical operations at converged data platform provider MapR.

“Meeting EU data privacy standards is challenging at the best of times, let alone when the goal posts are constantly being moved,” said Shaw. The only way to give the US authorities the information they demand, while complying with regulations, is to automate governance processes around management, control and analysis of data, Shaw said.

Would the Privacy Shield and the attendant levels of new management affect performance?

Dave Allen, General Counsel at Internet performance specialist Dyn said regional data centres are a start but that the data residence perspective is incomplete at best and give a false sense of confidence that the myriad of regulations is properly addressed.

“Businesses will now need to understand the precise paths that their data travels down, which will be a more complex problem given the amount of cross-border routing of data across several sovereign states. Having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework,” said Allen.