Box explores alternatives to Privacy Shield to transfer EU data to US

Virtual security/privacy shield

Box will endorse Privacy Shield, but is exploring alternatives that mean it may not need to rely on the new EU-US data transfer framework.

Microsoft yesterday came out in support of the replacement for Safe Harbour, the agreement scrapped last year by the European Court of Justice after it found the US would favour anti-terrorist measures over people’s personal privacy.

It has now won the support of Box too, amid industry pressure on regulators to pass a new framework that guarantees EU data sent to the US will be protected.

But leaks suggest the Article 29 Working Party – a group of data protection authorities representing all member states – does not believe the new framework offers adequate protection.

Text attributed to the group's German members was published temporarily on the agency’s website (and spotted by Ars Technica) before being pulled down, and read: “[We are] not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection [in the US] that is essentially equivalent to that in the EU.”

After confirming Box will support Privacy Shield, the collaboration firm’s general counsel, Peter McGoff, told Cloud Pro that it is nevertheless looking at other options.

“There are other adequate protections like model clauses [and] binding corporate rules, and we have been working for several years on binding corporate rules (BCRs),” he said.

BCRs are effectively internal rules that a company adopts to define its policy on personal data transfers, and once they are approved by the EU, are enough to satisfy data protection watchdogs.

McGoff said: “BCRs are another way that you can get the same level of protection and even stronger protection for our customers, and that’s something we have been working on and hopefully we’ll have an announcement soon on that.”

His comments came after Box CEO Aaron Levie admitted data location is a growing priority for his customers.

He told delegates at Box World Tour in London today: “We’ve heard lots of feedback over the past couple of years that there’s also a deep amount of interest on making sure you can store files locally in-region. This has been a major concern for some of the world’s largest businesses and some of the most regulated companies around the world.”

This led to today’s introduction of Box Zones, a product being released in May to let Box users of any tier pay to store their data in different geographic regions, underpinned by Amazon Web Services and IBM datacentres.

The first five regions will be the US, Germany, Ireland, Japan, and Singapore.

Explaining why Box picked these locations, Levie later said: “We looked at broadly where we were seeing the most international traction coupled with where there are some of the biggest challenges or hurdles from a data privacy or data regulation standpoint.”

Privacy Shield could be approved despite the Article 29 Working Party’s misgivings, as the group has no authority over the agreement’s fate.

The proposed deal would impose deadlines on companies to respond to complaints from people who feel their data has been misused, and the US has offered written assurances it will not spy on people’s data. Critics complain that these assurances are not reflected in US law.