US and EU must reach new Safe Harbour deal by January 2016

Several EU flags hoisted outside a building

20/10/2015: EU data protection regulators have set a deadline for a revised Safe Harbour agreement, after it was ruled invalid earlier this month.

The European Court of Justice decided that Safe Harbour did not give data tranfers between Europe and the US adequate protection at the start of October, declaring the agreement void, but the court has given the EU and US until 31 January 2016 to agree on a new deal.

If a solution is not found by that time, regulators will begin taking steps to enforce the ruling.

"EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions", the court wrote in a statement.

Elizabeth Maxwell, data regulation expert at Compuware, said the decision has "sent a ripple across the water".

"Around 4,500 US companies use the Safe Harbour agreement and related certification to allow them to do business with the European Economic Area. This judgement is providing a very definite message to the world that data privacy is a serious matter and there will be serious consequences for non-compliance," she added.

12/10/2015: Dropbox is reviewing the ruling that declared the Safe Harbour agreement invalid and has not yet committed to building a European datacentre to overcome the issue.

Safe Harbour was a longstanding EU-US principle that guaranteed any EU data transferred to America would receive the same safeguards enjoyed within the EU.

But the European Court of Justice (ECJ) last week concluded that the agreement no longer affords EU citizens' data privacy and ruled the agreement to be invalid.

Its decision was based on evidence of US spy initiatives like PRISM, which Austrian privacy campaigner Max Schrems argued meant America could not guarantee European citizens' data would remain private.

The fallout from the ruling could provoke a scramble to build EU datacentres, with file-sharing firm Box already confirming that customers will be able to store data within the EU come a year's time.

But Dropbox has made no such commitment, responding to IT Pro's questions to say only that it is reviewing the ECJ's decision.

A spokeswoman said: "Dropbox is committed to upholding the security and privacy of customer data. We are currently reviewing the court's decision in detail, and will continue partnering with our EU users and customers on their ongoing usage of our services."

In fact, the firm told Cloud Pro back in May that it had no plans at all to build an EU datacentre.

UK chief Mark van der Linden said at the time: "That's completely not on the roadmap. Location in our opinion is only one piece of the puzzle.

In contrast, Box CEO Aaron Levie told the Telegraph last week: "In a year from now I would absolutely expect we will have customers storing their data internationally. We're building towards it now."

It could leverage datacentres belonging to enterprise partner IBM to fulfill this aim.

Existing file-sharing competitors Google and Amazon Web Services have a number of European datacentres, while another rival, Egnyte, allows people to store their data in the cloud or on-premise, meaning they do not have to trust it to the public cloud.

However, there are a number of considerations for cloud service providers seeking to respond to the latest ruling, before they commit to building new data storage sites.

Data transfers to the US are not actually illegal

The first is that the Safe Harbour agreement was being reworked regardless of the ECJ's ruling a new and improved framework could be announced by the US and the European Commission as early as the end of 2015.

Secondly, as IDC's research director for European security, Duncan Brown, pointed out, the ruling does not render EU-US data transfers illegal.

"The judgement compels each EU nation's data protection authority (DPA) to investigate fully any complaint against a data processor transferring data to the US," he said.

"However, data processors may now be subject to multiple court cases that the DPAs are now obligated to investigate, and individual data transfers may be deemed to be non-compliant."

EU datacentres may not be enough

A wider issue that remains unresolved may explain Dropbox's non-committal response to the Safe Harbour ruling so far.

The issue in question is Microsoft's appeal against a court decision commanding it to hand over emails stored in its Dublin servers to the US government.

Should that appeal fail it would effectively mean that the US government can demand data from any American company, regardless of where the data resides.

Other ways to transfer data legally to the US

While the invalidation of Safe Harbour means the easiest way for vendors to transfer EU data to the US is no longer possible, other methods still exist.

"Data protection law provides a number of other gateways to lawful export of personal data to a third country, such as data subject consent, standard form contracts and self-assessment," said Daniel Hedley, associate at national law firm Thomas Eggar LLP.

But he added that the judgement could affect those methods too in the longer term, and advised businesses who need to send their data outside of the EU to wait for the UK's data watchdog to issue advice.

The Information Commissioner's Office "has indicated that it is considering the judgment and will provide guidance for businesses in due course", Hedley explained.

"Reading between the lines, it seems to have little appetite for instant, rigorous enforcement against the new situation. Businesses would be well advised to start the dialog process with their US-based cloud providers and other data processors, and to keep an eye on the ICO for further guidance."

06/10/2015: The European Court of Justice (ECJ) has ruled invalid the Safe Harbour data transfer agreement between the EU and US that has overseen data movements from European users of US cloud services to the US for processing.

The decision could lead to a disruption of services for firms such as Facebook, Google, Apple, Microsoft and others.

The ECJ made the same decision as the US Attorney General last month that data processing rules devised in 2000 do not give proper guarantees that EU citizens' data will stay safe once on US soil. The ruling originated in a case that Austrian resident Max Schrems brought against Facebook following revelations by Edward Snowden that showed how the NSA was able to snoop on data about EU citizens.

According to the court's Safe Harbour ruling, tech companies could be forced to store data in the EU, rather than in the US. Otherwise, those companies could be forced to attain certification for more rigorous data transfer rules.

"The United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security," said the ruling.

The court also said that EU citizens had no right of redress to stop the misuse of personal data. The rules were also found to have undermined national data protection authorities' ability to rule on data transfers.

"The court finds that the Safe Harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals," it said.

It would seem that the ruling was on the horizon as talks are already taking place between the US and EU over the creation of a new framework to replace the current invalid one.

Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings, told IT Pro that the ruling has serious repercussions for multi-national companies with operations in Europe.

"Many European data protection regulators, particularly those in Germany, have long believed that the conditions of the safe harbour scheme are not substantial enough and the effect of today's ruling will empower them to investigate and check the acceptability of any data transfer themselves," he said.

He added that although the case today primarily concerns safe harbour the ruling will also apply to other European Commission approved methods of transferring personal data internationally.

"Crucially, this case cannot be considered alone. Following the landmark case of Weltimmo last week, multinational companies that have elected to create an establishment in a more business-friendly jurisdiction are now likely to have their data protection practices scrutinised by local regulators all across the EU," said Winton.

He added that there are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, "so we may now see these complaints springing up from every direction, where data is being shared around the world."

This article was originally published on 06/10/2015 but has been updated (most recently on 20/10/2015) to reflect the latest developments.