Safe harbour showdown: Data deal reached between EU and US

A deal was reached today between Europe and the US on the rules governing international data sharing - known as Safe Harbour - something relied on by companies such as Facebook and Google.

Various organisations and industry professionals have offered their reaction to the news.

Daniel Castro, Vice President of the Information Technology and Innovation Foundation:

"We commend U.S. and European negotiators for completing an agreement that avoids disrupting the transatlantic digital economy in the near term by ensuring continuity for the thousands of U.S. and European companies providing services across the two markets. Free flow of data across borders is essential to global trade and commerce, and this renewed agreement marks an important step forward for U.S.-EU cooperation.

"In the wake of the Snowden disclosures, European citizens and policymakers are understandably concerned about privacy safeguards in U.S. law. But abruptly revoking the Safe Harbor agreement was the wrong way to address those concerns. We are pleased that U.S. and European policymakers have resolved this issue and support the free flow of data between these two markets. We hope the new agreement signifies a line of thinking that will shape future EU policy decisions as well.

"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age. In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.

"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security. And ultimately, the European Commission should reformulate its data protection regulations to replace the “adequacy” standard with a “duty-of-care” provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."

Antony Walker, deputy CEO of techUK:

“Today’s announcement of a new deal for EU –US data transfers is extremely important. The European Commission and US Administration must now show total commitment to implementing this agreement (the EU-US Privacy Shield) and getting trans-Atlantic data flows back onto a secure and stable legal footing. Businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers. The fact that EU and US negotiators have worked day and night for several months to secure this agreement reflects how important transatlantic data flows are to the global digital economy.

"Data Protection Authorities across Europe must play a constructive role in supporting this new agreement. It is essential that they allow time for this agreement to work and refrain from further regulatory action on other transfer mechanisms."

Rick Orloff, Chief Security Officer at Code42:

"Brussels and Washington have finally struck an agreement for renewing Safe Harbour—but for most businesses this won’t be the regulation to end all regulations. The onus to protect customer data must be on companies themselves, something large-scale policy can rarely do in a comprehensive manner.

"The concern for privacy amidst proliferation of personal and corporate data is a valid driving force behind the General Data Protection Regulation (GDPR), the pending Snoopers’ Charter and now the new Safe Harbour agreement. But it does not necessarily reflect how data moves, making the focus on data server locations irrelevant in the bigger picture of information security.

"A significant portion of sensitive company information is on the laptops, smartphones and workstations of employees—this movement of data to the edge of the network—away from the data centre—poses the biggest threat for CIOs and CISOs. To protect your data, you first need to secure the endpoints in your organisation and protect the data residing on them.

"This should be of primary concern before bewailing the difficulties of data movement across borders and to foreign servers."

Dave Packer, VP Product Management at Druva:

"This new agreement looks to provide more assurance for EU organisations and individuals about the security of their data. Although we were able to continue business in the EU because of our assurances around data privacy and security, we are still waiting on the final wording of the new agreement and the European Court will have to rule on the draft as well. Nevertheless, this provides a good stopgap for data privacy, and I think that we should see a more permanent solution in due course.”

“It will be interesting to see this work alongside the EU General Data Protection Regulation that is also going through its process. Taken together, there have been a lot of changes for businesses dealing with EU customers to consider.

"Druva believes the best approach for the moment is to concentrate on applying data security best practices – so encryption, firewalls and anti-virus technologies and the like – but also make sure that there is a more proactive approach in place towards managing data as it is created regardless of location, rather than centrally after the fact. This will help companies keep in compliance with any new changes or developments in regulation.”

Tim Barker, CEO of DataSift:

"With the just-announced deal between US and European officials involving EU/US data transfer, we're seeing renewed focus on the intersection of data sovereignty and privacy in both regions," said Tim Barker, CEO, DataSift. "The topics of consumer data usage and privacy are top of mind for both companies and consumers -- a prime example being the recent Pew research study revealing Americans' varying consent when it comes to privacy. For brands, and marketers in particular, this ruling may bring with it some drastic changes in how data is processed -- and these changes will need to be addressed quickly.

"With social data in particular, the shift is now toward anonymous, aggregated data that provides marketers with insights and trends, but protects user identity. In order for businesses to address this shift -- and survive and thrive -- a Privacy-by-Design approach to consumer data is needed now more than ever."

Image source: Shutterstock/alexskopje