EU pulls plug on safe harbor agreement


The Safe Harbor agreement was a crock. It’s time to start taking privacy seriously!

So, the European Court of Justice has ruled, at the end of a case that had been ongoing for two years, that the 15 years old ‘safe harbor’ agreement with the United States, which was meant to protect the privacy of European citizen data when transferred to the US, is not valid.

This is, on the face of it, a big deal. After all, the whole point of having such an agreement in the first place was to ensure that online business between Europe and the US could go ahead with minimal interruption while at the same time safeguarding the privacy rights of EU citizens. However, many people (including us here at IT Security Thing) have been saying that Safe Harbor was a crock for the longest time, and did nothing to provide the ‘adequate privacy in line with EU privacy laws’ that needed to be in place if a legal transfer of data outside of EU boundaries is to take place.

The problem being that US companies may well have promised, via Safe Harbor, to protect EU citizens’ data when transferred out of Europe, but that didn’t mean the US government and its law enforcement or intelligence agencies necessarily agreed. It’s one thing for the likes of Apple, Facebook, Google and Microsoft to self-certify on data protection under Safe Harbor, but quite another to deliver upon those privacy promises when government agencies required them to hand over data stored within US-based data centres as part of an investigation.

What Safe Harbor actually provided was something that made life easier for the businesses concerned, who didn’t have to jump through data privacy hoops (asking for consent, entering into bilateral agreements and so on) time after time after time when doing business with Europe. Ultimately, it didn’t really provide much in the way of real protection for European citizens which, as far as European citizens were concerned anyway, was meant to be the whole bloody point.

That there has been much complaining about the ECJ ruling that it will stop business between Europe and the US, or at the very least increase the costs of doing so considerably. Of course, these costs will be passed on to the customer. Equally of course, these complaints have largely come from those people whose interest is purely commercial.

Speaking as someone whose interest is wholly from the security and privacy perspective, I am not losing any sleep over this. I imagine that, not naming names, many large multinationals could use some of that money left over from not paying taxes in the UK to subsidise the additional cost of actually ensuring that customer data privacy is protected rather than just mouthing the words and not really giving two shits as long as the paperwork is stamped and approved.

Turning a blind eye to what everyone knows is the reality of a situation does not justify what is happening

Indeed, if these businesses don’t already have model clauses drawn up to enable contracts to be changed, and processes in place to enable that change to be implemented then that’s pretty short-sighted of them.

The ECJ ruling hardly came as a surprise, after all. For those who were surprised by it, then they may have to stop transferring data to the US until they get it sorted. That’s the price they will have to pay for not taking privacy matters seriously enough as far as I am concerned; get the paperwork sorted, and get back to business.

Business should, if they have any sense, include options to geo-fence data according to the wishes of the customer. Many US companies have already got EU-based data centres up and running, many others are building them. Those that are being left behind, either through short-sightedness or arrogance, deserve to be left behind. Simples.

Surely it has to be a good thing if this decision forces the hand of business to start dealing with the undoubted privacy problems that can occur when moving data around as we do? Surely it has to be a good thing if this decision forces the US powers that be to pull their collective fingers out and bring in some Federal data protection legislation with teeth? Surely nobody thinks that companies self-certifying is what we needed here in the first place? That was always going to be a recipe for disaster, for the customer that is. Now business may cry that it wasn’t their fault that US agencies could access the data without due process, but I respond to that with one word: bullshit. Turning a blind eye to what everyone knows is the reality of a situation does not justify what is happening.

That some businesses may go under as a result of this ruling also does not figure in my personal sleep pattern predictions. Being less technologically able, or not having enough money to invest in such things, are again no justification for not taking data privacy seriously enough. If a company that was playing fast and loose with my data, because there was a self-certification process that enabled them to do that, can no longer afford to operate if it has to start caring about data privacy then I for one am glad it’s going down.

I take my hat off to the Austrian law student, Max Schrems, who took on Facebook in the case that led to this ruling. Safe Harbor was no data privacy treaty, no European data protection pact with the US; it was a loophole that enabled US business to bypass perfectly reasonable European privacy laws. It was driven by the dollar, it dropped on bended knee and kissed the hand of state surveillance. We are better off without this crock, good riddance I say. But don’t just take my word for it, here’s what others are saying.

Danny O’Brien, International Director of the Electronic Frontier Foundation (EFF) says “Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control. For the United States, that means reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333. These are the secretive and overbroad regulations that permit NSA to use PRISM and a raft of other programs to spy on Europe and beyond. Equally important, the United States must revisit the laws, regulations, and institutional processes that allow these programs to fester in the dark, largely unaccountable to the public.”

The ruling is a positive as the more distributed the data – the higher the chance of a breach

Ryan O’Leary, Senior Director of the Threat Research Center at WhiteHat Security, says “As a user, I can tell you that companies saying they take security seriously often have no such security policies in place. There is absolutely no guarantee that these companies are protecting your data and adhering to their own stated policies. In addition, as Edward Snowden revealed, the US has developed many programs to access such protected data in the name of national security with the companies’ assistance. Instead of creating a self-certifying security system, the US needs to adopt a more robust individual data protection policy that assures users of even a basic level of data security. This will also make it much easier for EU companies to do business with the US as they will have similar security measures in place.”

Pravin Kothari, CEO and founder of US cloud security firm, CipherCloud says “At the heart of the Safe Harbor ruling is the inherent conflict between regional data privacy laws and the global nature of the Internet. This is not the first time that Europeans have faulted the agreement for being weak, and as a self-certification process it certainly leaves room for improvement. The lesson for enterprises caught in the middle is that they can’t rely on third parties or the legal system for data protection. The best option before a new agreement is reached is for enterprises to proactively protect their sensitive data, regardless of where it resides. A measure that comes to mind is encryption, of which Edward Snowden said ‘trust the math.’”

Bharat Mistry, Cyber Security Consultant with Trend Micro says “Now that Safe Harbor has been invalidated, it means US companies must look at local operations to process data. This is a good thing as it restricts data flow to within the EU or local country borders. Therefore – tighter control and enforcement by the EU and additional investment into Europe in the form of extra jobs in data processing. However, it will be very challenging to get a replacement to Safe Harbor off the ground – because individuals are much more savvy to data protection and will want to challenge it and understand the implications of the who, why, when and where. Overall, the ruling is a positive as the more distributed the data – the higher the chance of a breach.”