Edward Snowden’s revelations about the extent of America’s NSA surveillance program PRISM caused shockwaves around the world. Private citizens and businesses were routinely subject to online eavesdropping, allegedly in an effort to counter global terrorism.
What’s the story with Safe Harbor?
The European Union were particularly concerned about how their citizens’ data was being handled by several remote file-storage service providers. The UK is subject to some particularly stringent personal data laws that typically prevent personal information being transferred outside the EU.
A compromise deal called ‘Safe Harbor’ was reached whereby US-based service providers who self-certified their provisions as being compliant with EU data protection principles would be allowed to export information for storage and processing in their offshore datacenters. Once the extent of the PRISM surveillance program became apparent, the European Court of Justice annulled the Safe Harbor provisions, and launched an immediate inquiry into how to proceed.
Obviously this leaves any UK-based business using non-EU cloud services for processing personal data in limbo as they wait to see whether they will be forced to repatriate that information.
The consultation period has closed, what now?
Discussions between the EU and US governments have now finished, and it seems very unlikely that that there will be any major changes to the way that Cloud services are provided; it will come as a relief to many to hear that there is almost no chance that the EU will demand data repatriation. Instead both parties have been exploring ways to strengthen the rights of individuals whose data is stored in off-shore datacenters.
New rights and an ombudsman
One of the priorities has been to create a robust framework for customer complaints in the US. The new regime is expected to open several channels by which data protection compliancy concerns can be raised and escalated to the relevant authorities on both sides of the Atlantic. The EU is also pushing for the same data protection rights enjoyed by US citizens to be applied to their own. It is hoped that by standardising the way in which data privacy is handled, service providers will be able to operate more transparently with their EU customers.
To ensure that data is handled correctly, the EU has proposed the institution of an ombudsman to oversee every complaint, and to provide decisions by which both governments are bound. There will also be an annual review to assess how the replacement framework is working, and whether it is delivering the expected safeguards and protections for EU citizens.
How to get Safe Harbor 2.0 right
Although Cloud services themselves are unlikely to change significantly, the legislation that makes EU-US data sharing possible will need to be strengthened. By giving EU citizens a greater say in how their data is handled, it is hoped that service providers will be able to regain customer trust lost in the fallout from the PRISM scandal.
Leave a Reply