The Safe Harbor directive was intended to provide a means for US companies to prove “adequacy” in their safe handling of private personal information of EU citizens, in accordance with EU standards. The directive was necessary since the vast chasm that exists between US rules, regulations and laws and those of the EU could never realistically be bridged on a national level.
For an EU business or organization looking to engage a US cloud-storage provider, we offer the same advice we give to US customers seeking secure, compliant storage providers: believe only what can be proved.
Declarations of Safe Harbor certification by many US companies wanting to do business with EU companies have proven to be false. A 2008 study found false claims of membership, false claims of certification and lack of government oversight.
Understandably, this riled EU authorities who called upon the US government to get on board or risk withdrawal of Safe Harbor altogether, essentially prohibiting any commerce involving the exchange of personal data between the US and EU. Intense negotiations are ongoing, with even tougher regulations and sanctions on the table. We can only hope these global trading partners can reach a mutually acceptable accord.
An EU business seeking cloud storage in the U.S. must do its due diligence. Conversely, the storage provider must be transparent about the state of its compliance with the seven fundamental Safe Harbor principles: 1) notice; 2) opt-out choice; 3) restriction on onward transfer; 4) security of data protection; 5) preservation of data integrity; 6) individual’s right to access; and 7) effective enforcement.
In a recent report from Forrester Research, Inc. (Q&A: EU Privacy Regulations, March 12, 2014), this leading industry analyst and consulting firm offered recommendations to EU companies when assessing US companies; the same would apply for US-based cloud service providers.
- Ask the provider to supply proof of compliance assessment, including documents that detail what provisions it implements to satisfy each of the seven principles.
- Assessments are required annually, so ask the providers for ongoing compliance proof during your contract period.
- Check to see if the provider’s privacy policies are published.
- Determine if the provider has notified the US Department of Commerce of self-certification.
Beyond that, it would behoove an EU firm to look closely at the cloud storage provider’s overall security and compliance posture. A provider that submits to annual independent auditing under the SSAE 16 , ISAE 3402 and AT-101 audit standards is out to prove its cloud storage environment is safe and secure. Additionally, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA/HITECH), demonstrates a clear commitment to serving customers who are subject to strict security standards for data privacy, handling and protection.