Not so Safe Harbour


Not so Safe Harbour

by Matt Gall
about the authors
Not so Safe Harbour

Share this Blog with a friend.

About the Author

dark mode

Last October, the Court of Justice of the European Union ruled that the EU/US safe harbour treaty doesn’t offer the protections required of Europe’s Data Protection laws.

The EU’s Acquis Communitaire (its body of law) stems from the various treaties that bound its members in which they agree to abide by the European Convention of Human Rights and its EU instantiation the EU Charter of Fundamental Rights. Article 8 of the ECHR defines a European Citizen’s right to privacy as part of a series of universal human rights. There is a basic difference between the EU and the US in terms of the ideology behind privacy law.

Europe’s privacy laws require that personal data can only be held with the consent1 of the data subject, it may not held for longer than necessary for the purposes of the consent and the data must be adequately protected.

The CJEU has ruled that as far as enterprises are concerned US cloud storage or information systems service providers2 cannot be considered adequately protected even if the computers and storage devices are located in Europe, if the only guarantees of adequate protection are the EU/US Safe Harbour treaty. According to the contemporary Ars Technica article, “Europe’s highest court….”, the judges further criticise the lack of legal remedy in that foreign surveillance targets cannot be represented in US courts, implying that the key vulnerability to privacy in the US is their government law enforcement agencies.

The first response to this short term operational threat has been the suggestion to move the legal protection from public & international law i.e. treaties backed by criminal law enforcement and sanctions into contract law by utilising the so-called model clauses. The European Union has been working on this for several years and privacy lawyers and several Information Systems Service Providers (ISSPs) are proposing them as the first reaction to the ruling.
The use of contract laws is an insurance risk mitigation strategy i.e. it allows the aggrieved parties to earn financial restitution in the case of failure to adequately protect” a data subject’s privacy, including breaches in response to a foreign law enforcement warrant. This also assumes that the subsidiary deemed guilty of the breach can be identified and has any assets to pay any fines or civil compensation claims.

While privacy advocates may argue that the US have not moved far enough, it’s clear that there may soon be easier access to US independent judicial remediation than in parts of Europe for EU citizens. The problem is likely to remain the US anti-terrorist laws and its concepts of extraterritoriality. However, since the CJEU ruling some progress has been made as the US begins to pass new laws that permit European Citizens to seek redress in cases where their privacy rights have been breached. The original court ruling, I would argue, means that there is still some lack of clarity in considering US owned storage as “adequate protection”. The last few month’s developments reinforce the fact that the determination of adequate protection is becoming an issue for the European national data protection officials, not the Commission, the Council of Ministers or the member state governments. This diversity of response is another cause of the lack of clarity,

The court case has encouraged the US Federal Government and the European Commission to negotiate a new agreement which the EC is boosting as a path out of the current uncertain situation. The lack of certainty will remain for some time to come, Citihub are not lawyers but there are alternative or supplementary IT policy responses in which Citihub has experience which may reduce the risk.

The first thing to be done is to understand the risk; a risk assessment must be undertaken. Aspects of the risk are understood; we know how to place controls on cross border data transfers and design and run data leakage programmes. Having understood the size of the risk, a probability can be assessed, and the company’s risk appetite agreed and documented.

Data has a locational and now jurisdictional attribute. Corporation’s data models must capture and record this. Apart from the obvious applications, the personal data sets held in sales and billing, incident management and also employee data held in vendor product, HR databases3 and desktop productivity systems must be documented. The harder-to-capture data flows and stores will be user authorised applications, an issue explored by Citihub in its white paper, Cloud Controls for Financial Services. Again the key vulnerability here is user authorised SaaS although some organisations will also allow the distributed purchase of IaaS. Identifying user owned and authorised systems and protecting them is a now persistent issue in IT security control design.

The coming EU Data Protection Regulation amongst other things, including original eye watering fines mandates the appointment of a Data Protection Officer who must be professionally skilled, to the extent of understanding “adequate technical protection”. Firms should evaluate their readiness to meet these new requirements. It will need a new breed of professional.

In summary,
1. know what your personal and confidential data is and where it’s held

2. define your risk appetite

3. understand the new legal threat to both reputational and regulatory risk

4. review your legal protection

a. contracts
b. skills

5. review your technical protection

a. data meta model
b. cross border controls
c. data leakage

Related Insights

See technical discoveries and coding insights from our developers.

Find out more about life at Citihub

about us