The headlines in Britain’s Daily Mail and Germany’s Bild aside, the European Union (EU) takes privacy very seriously ─ at least when it comes to data. In fact, EU privacy legislation is considered among the most rigorous in the world.
The U.S. takes privacy seriously too. Think Health Insurance Portability and Accountability Act (HIPAA), the privacy notices required under the Gramm–Leach–Bliley Act (GLBA), a voting system that relies on secret ballots and the privacy protections under the Fourth Amendment.
Still, the U.S. and EU don’t always see eye-to-eye on the subject of privacy. Google and Facebook are among the U.S. companies currently under scrutiny in Europe for alleged violations of data protection laws. Disclosures by U.S. National Security Agency contractor Edward Snowden regarding U.S. data surveillance haven’t helped. But even without those revelations, the fact remains that there are significant differences between EU and U.S. laws regarding data privacy.
The EU generally allows more rights to the individual while the U.S. takes a more ad-hoc approach to data protection, often relying on a combination of public regulation, private self-regulation and a patchwork of state and federal legislation.
Privacy Goes Digital
Things get even more tenuous when we talk about privacy in the digital realm. Most U.S. Internet companies have lobbied heavily against oversight, and there has been little legislative progress on regulating the collection of consumer data.
In contrast, the EU has put broad safeguards in place to provide its citizens with broad safeguard to ensure their digital privacy. This includes 1995’s Data Protection Directive, which grants EU citizens the right to both remove and correct any personal information about themselves online, and bars companies from transferring data either to another company or across national borders ─ especially if it’s a country that doesn’t offer comparable levels of protection. Since U.S. privacy laws are deemed less stringent than in the EU, transfer of personal data to the U.S. has generally been frowned upon.
Safe Passage for Data
Of course, with the U.S. as a major player in global economy, the idea of shutting down data exchange between the U.S. and EU was unrealistic. That’s where the Safe Harbor framework comes in. Created as a collaborative effort between the EU and U.S., it permits data transfers from the EU on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive.
So all is good in the world when it comes to data privacy? Not exactly. The EU has continued to strengthen its data protection policies, most notably in a draft regulation released in January 2012 that, once formalized, will supersede the Data Protection Directive. It is expected to be adopted in 2014 and take effect in 2016. But before it does, expect there to be changes. Although the cloud was not mentioned in iteration released in 2012, the European Parliament has since attached amendments to it; several deal with cloud computing.
One proposed amendment would require all data transfers from a cloud in the EU to a cloud maintained in the U.S. or elsewhere to include a notification to the data subject of such transfer and its legal effects. Another would bar these kinds of transfers unless certain conditions are met. Not only would consent be required by the subject of the data, but that person would also need to be “informed in clear, unambiguous and warning language through a separate and prominently visible reference” to the possibility of their personal data being subject to intelligence gathering or surveillance by third-country authorities.
Other discussions revolve around ways make sure that data is processed and stored only in clouds to which EU data protection laws and European jurisdiction applies. That means it may not be enough for US companies to maintain data center operations in the EU.
Safe Harbor in the Cloud
So how does the Safe Harbor framework come into play with regards to the cloud? Does it even apply? The good news is that in April, 2013, the U.S. Department of Commerce’s International Trade Administration (ITA) released a document that provides guidance on the use of U.S. cloud service providers by those in the EU regarding personal data hosting and privacy.
According to the ITA, Safe Harbor applies to cloud service agreements, and allows for data that has originally been transferred to a Safe Harbor compliant cloud services provider (CSP) to be transferred to another country. The ITA also states that all CSP subcontractors must sign a written agreement requiring the same level of data protection as the Safe Harbor Privacy Principles.
Is Safe Harbor Safe Enough
However, don’t just take a CSP’s word that it has Safe Harbor certification. Get proof of its certification and request evidence that it actually follows Safe Harbor principles. The ITA provides a list of certified companies on their website, but you can also verify ongoing security practices by checking the CSP’s compliance audit reports.
Keep in mind that Safe Harbor does not address data retention policies, loss of governance, insufficient audit trails or isolation failures. The ITA recommends that specific technical and security requirements be included in any contract between a client and CSP. While Safe Harbor is relevant when it comes to cloud computing services and European data, it is not an all-encompassing rule for determining cloud security responsibilities.
Doing business internationally makes good economic sense. But just as we have to take into account cultural nuances and varying business practices, we also have to consider data privacy concerns. When it comes to doing business in the cloud, the Safe Harbor framework ─ and due diligence ─ can help keep both data and business flowing across borders.
Peak 10 has again completed a series of annual audits by authorized independent qualified security assessors to ensure we continue to meet the requirements of HIPAA, PCI DSS and a number of other certifications and regulatory bodies. Peak 10 is also certified under U.S. Department of Commerce Safe Harbor Program. More information is available here.