Safe Harbour and how to protect your business and customer data today

What was Safe Harbour?

Safe Harbour was a policy agreement between the United States Department of Commerce and the European Commission to regulate how US companies manage the personal data of European citizens. It went into effect November 2000.

This “Safe Harbour” construct was intended to make it possible for companies to move data from Europe to the US without violating the EU's Data Protection Directive.

On Tuesday 6th of October 2015, the European court ruled that Safe Harbour was invalid. Due to this ruling, there is no legal mechanism for US based entities to provide data services to the European market.

Why was Safe Harbour deemed invalid?

Safe Harbour has been criticised and questioned for a long time. In simple terms, it represented the promise by US companies that in the handling of European data, the European Data Protection Directive would override US national law for European citizens. There has been a plethora of evidence to the contrary in the past, but this is the first time that Safe Harbour was challenged in court.

The United States claim jurisdiction over any company with presence in the US. National laws in the US override international law for all these companies. Not only is US data protection law much weaker than the EU's Data Protection Directive, most US law is also written to provide safe-guards and exceptions only to US citizens, not to foreigners. So EU citizens do not even get the lower level of data protection awarded to US citizens when it comes to US governmental and intelligence agencies.

So when asked to rule about this question, it is hard to see how the European Court of Justice could have ruled any other way. This is also reflected in the clarity and brevity of the ruling – Safe Harbour was declared invalid in all but four words, and without any exceptions or transitional periods which the US industry was asking for.

Why is this ruling significant?

This ruling is a fundamental step forward in securing the privacy and data of all European citizens by closing a loophole that was being used to violate the privacy and confidentiality of individuals, governments and companies across Europe.

Your data belongs to you, and you have rights to the privacy and protection of that data.

Secondly, it means that services based in the USA no longer have a legal mechanism to service the European market ensuring full compliance for their clients. That includes a diverse set of commonly used services, including those provided by Google, Microsoft, Facebook, Salesforce.com and many others.

The reach is enormous, touching on mission-critical services such as groupware and online office suites and even entertainment services such as “free”mobile games which rely on trading on your personal information to generate revenue. It does not take much fantasy to see how the financial services, health care and life sciences areas will be heavily affected by this. Some lawyers even question the legality of US companies handling their own personnel data for European employees.

Consequently, it is no longer legally safe for European businesses to make use of these services. Employees, customers and employees at partner companies may all have legal recourse against usage of US services now.

If I am using a service provided by a US company, but the data is kept in Europe, is that OK?

Unfortunately, no. The US government claims global jurisdiction over all assets, including data, of US entities and companies, including companies with subsidiaries or ownership in the US. So even if the data is kept in Europe today, the service provider may be legally compelled to transfer the data at any time and without notice to you.

Making this matter even more complex is that many such services are not built in a way that makes it easy, or even possible, to ensure that your data remains within Europe. Many online services are built to automatically move data around the global data network for processing and use. Making the necessary technical changes to prevent that would take significant time and resources.

How does this affect US businesses?

If you have no business with or customers in the EU, you are not affected.

Within the IT industry, corporations with presence in the United States that focus on providing services over the Internet now find themselves with a severe handicap in the European Union and all those that trade with it. US technology providers are not likely to be affected as much. Especially providers of Open Source solutions to run private clouds in Europe may very well see a dramatic increase in interest.

But the effect is not limited to the IT industry. All sectors of economy in the United States that trade with or provide services to EU citizens will need to revisit their IT strategy. Where they are cloud services by the services above, these might need to be replaced by alternative vendors without US presence.

Companies running their own services or providers in the EU, Switzerland or abroad are likely already compliant with the ruling. If you are uncertain, it is probably a good idea to consult your legal counsel.

How does this affect businesses in Europe?

IT companies without presence in the United States and self-run infrastructure are not affected. Companies that have built their service on US cloud platforms, such as Amazon, are likely not in compliance with the law when serving EU customers and should re-base their services quickly. Those with US subsidiaries might need to take some extra steps to protect their European customers from the implications of this ruling.

All other businesses need to re-visit their IT strategy in terms of compliance with the EU Data Protection Directive. Where US cloud services are used to handle the data of employees, customers and partners, they will likely need replacing. If you are using local service providers, but do not know where they handle their data, you will want to ask them about their hardware, storage and access policy. Many of them have built their offering on “Platform as a Service” offerings by companies affected by the ruling.

What about cloud services?

Services like Office365 and Google Apps always had to provide the US government with access to your data, regardless of where it was stored. Contracts promising anything else have always been invalid under overriding US law, and unenforceable, since there is no way for the user to verify where their data is stored, and who may have access to it. Whenever concerns about these known issues were raised, US cloud services typically took refuge to Safe Harbour. That is no longer possible.

In consequence, these services may need to restructure their legal structure, business and technology to ensure the safety of EU citizens' data. Because this would be expensive, and open the market for possible competition, their representatives in Brussels and the national capitals are currently trying to re-create the Safe Harbour narrative in any way possible.

It is not clear at this point whether that will be possible, so this may very well be the period of unprecedented innovation, openness and competition in Europe.

What about Switzerland?

The decision of the European Court of Justice is not immediately applicable to Switzerland, but it affects all companies with EU business, presence and staff much in the same way that it affects EU companies. So careful businesses will treat this much in the same way as outlined for EU businesses.

Most of the Swiss IT industry is likely to benefit from this. With the possible exception of Iceland, the legal basis on which Swiss business can provide data protection and privacy is much stronger than in the European Union. There are fewer, more regulated means of access, and punishment for violation of data privacy is harsher.

So Switzerland has a unique position in all of this. Swiss services have played a leading role in providing privacy to the world. That role is only becoming more important.

What should I do to protect my data?

It is well worth seriously considering how you manage your data and where it is stored and used. This is especially true if you handle sensitive data such as company fiscal records or other strategic information, medical information, or even just communication you consider personally private.

Many people have been attracted to the online services offered in the cloud to take advantage of their suite of collaboration tools, without thinking about how that compromises not only their own data, but that of their customers, friends and family.

And while you may surrender some of your own rights, you typically cannot surrender those of others.

Using services based in Europe run by companies who are also European is a good first step. By doing so you will be able to take full advantage of the safeguards offered by the Data Protection Directive and other European laws and privacy aids.

It is also important to consider what software powers those services. A good rule of thumb is this: If you can not download and run the software that runs the services you use, then you have locked your data into the hands of someone else and are left to blindly trust them to do right on your behalf. For this reason, you should insist that services you use run entirely (not just partly!) on open source software. This ensures both that experts can audit the software for flaws and backdoors, while allowing you to easily move your data between service providers, or even to your own servers, without restriction.

There are many other steps you can take as well: use encryption technologies such as GPG for Email; select services hosted in countries with strong and transparent legal frameworks when it comes to personal and data privacy such as Switzerland; ensure the services you use have strong privacy commitments and clear terms of service that put you first as the customer.

What is a good example of such a service?

Kolab Now is a powerful collaboration service that includes email, shared calendaring, contacts, notes, ToDo lists and more which is hosted entirely in Switzerland and run by a Swiss company. It provides a simple terms of service which puts your privacy first and the service itself runs entirely on open source software. They encourage best practices such as email encryption and the use of open source clients.

This grants Kolab a significant advantage over the other options: Your data is yours, now and forever.

Kolab Systems also offers private on-site solutions and dedicated hosting, making it a serious alternative to some other service providers. I would say that of course, I’m the CEO, but find out for yourself. Visit our websites, send us an email or even pick up the phone and give us a call. We would love to help you find a more secure, private and ethical solution for your business.