Scuttling of Safe Harbor Leaves Companies in Holding Pattern
Yet, in November 2013, the European Commission published an analysis of the impact of U.S. national security policy on the privacy of European citizens, finding that personal data handled by multinational companies could be "accessed and further processed by U.S. authorities in a way incompatible with the grounds on which the data was originally collected" under European law. The EU Court of Justice's ruling cites that finding as undermining the effectiveness of the Safe Harbor framework. The ruling leaves companies, especially Internet firms and cloud providers, in a gray zone, Fred Kost, senior vice president at HyTrust, a virtualization management firm, said in a statement. "Safe Harbor allowed self-certification that adequate measures were being taken to protect data," Kost said. "With the adoption of the cloud and the loss of Safe Harbor, companies face harsh requirements on the location and protection of data stored by them."Others will have to wait to see how EU regulators respond. The most clarity would be provided by negotiations that are already underway between the European Union and the United States over a second Safe Harbor framework. "The ruling now puts a lot of pressure on the EU Commission to finalize a new agreement, which is already in progress," said Sean Sullivan, an advisor at security software firm F-Secure. Yet the European Union could make it very hard on U.S. businesses, depending on the motives driving the ruling, Daniel Arthursson, CEO of CloudMe, a cloud storage and file synchronization solution, said in a statement provided to eWEEK. If the EU government aims to stop all unauthorized access to personal data, any U.S. company, no matter whether they store data in the United States or the European Union, will be suspect, as they still have to abide by U.S. laws as well, he said. "The declaration of invalidity of the Safe Harbor Act to protect EU citizen privacy will have far larger repercussions for U.S. cloud services than most people realize," he said. "U.S. entities, including subsidiaries operating overseas, are required to comply with U.S. law and may be ordered to disclose information from its EU data centers—quickly eliminating this as a viable solution to the problem." In the end, the situation will be a tricky one to solve. Unless companies have the ability to refuse access requests from the National Security Agency—or any other nation's intelligence or law-enforcement agency—they will always have to be subject to search warrants and national security letter, F-Secure's Sullivan said. "The NSA asks for information on a target--and Facebook delivers the details," Sullivan said. "That is still possible, regardless of any safe harbors." The outcome of the debate will rely on whether security trumps privacy, or the other way around. Rather than try to protect personal data against such requests, governments may agree that they are necessary, Sullivan said. It' not unreasonable, if the power is not abused. "Based on Facebook's transparency reports—it really doesn't happen all that often," he said.
Little to Worry About, InitiallyFor the most part, however, little will immediately change. Companies abiding by Safe Harbor in good faith will have little to worry about, at least, initially, IAPP's Tene said. Many of the largest companies have already created ways to deal with the issues, segmenting customer data, and the storage of that data, by jurisdiction.
"If you are Microsoft or Pfizer, or a Fortune 100 company, chances are you have already solved the problem," Tene said. "They knew this was coming; it was not a big surprise. But if you are a smaller company, then you face a lot of confusion."