Much to the surprise of the technology industry, Europe’s lawmakers announced the annulment of the EU-US data sharing agreement, named ‘Safe Harbour’, towards the end of last year.
The ruling has triggered concern in the legal departments of US companies that store European citizens’ data. Termination of the agreement potentially opens the door to an influx of privacy lawsuits across EU member states.
The milestone judgement poses a major obstacle for more than 4,000 European and US companies who currently carry out trans-border data transfers. It also poses a hazardous issue for US companies that, until now, processed EU citizen data in the US and believed the data transfer arrangements they had in place met the standards required by EU law.
The Safe Harbour ruling, introduced in 2000, was put in place to regulate the data-transfer between the EU to the US. For the past 16 years, this has allowed US companies to self-certify the provision of ‘adequate protection’ for European users’ data in line with requirements for EU data protection – and fundamental human rights like privacy. However, the revelations by former CIA employee Edward Snowden regarding indiscriminate surveillance by the US National Security Agency triggered a rethink on the subject. Max Schrems, an Austrian privacy activist, decided to take action against Facebook for using the Safe Harbour agreement to transfer European data to the US. The case, which took two years to achieve an outcome, finally came to a head in October 2015 and the Safe Harbour ruling was declared invalid by the European Court of Justice.
As a consequence, every organisation previously covered by Safe Harbour is now potentially out of compliance with European data protection as it stands today. And that’s sent US companies into a scramble about how to manage, store, transfer and use data in Europe.
The termination of the agreement will affect organisations, both large and small. For the bigger players, such as Google and Facebook, the resources are likely to be in place to adapt quickly. These organisations will be able to implement procedural changes around user data flows and building-out additional European data centres to process regional data – but what’s the answer for small and medium-sized enterprises? What's more, how will customers of Internet and cloud services providers be impacted? Data packets don’t know about jurisdictions, and are often transferred sporadically to create resilience and speed up access.
Privacy and consent are both now at the centre of debates taking place about the storing of data at tech and non-tech businesses. This includes European companies reflecting on a more genuine gathering of consent in preparation for the forthcoming EU General Data Protection Regulation (GDPR), due to come into effect in December 2017. The new regulation will standardise laws governing data protection across the region and its scope extends to any foreign company that processes the data of EU residents.
Why are companies operating only in the European region sitting up and paying attention to the Safe Harbour situation? Because while the ECJ ruling has significant impact only on EU-US data transfer mechanisms, it’s likely that other legal tools beyond Safe Harbour will also come in for greater scrutiny as the EU GDPR unwinds – all of which creates uncertainty that today’s data transfer arrangements will meet EU standards.
Indeed, the European Telecoms and Network Operators (ENTO) organisation has long pointed out the weaknesses of the Safe Harbour framework. According to ENTO, today’s digital economy needs legal certainty in this field, and it has called for future arrangements to guarantee a high level of data protection that address the challenges – and opportunities – of the digital era.
One thing is certain. We’re set to see a new wave of compliance-oriented responses in the form of more sophisticated data segmentation/residency/sovereignty, data tokenisation and breach response solutions. But businesses will have to take up a new challenge in the GDPR era – and tactical solutions will be insufficient to meet that challenge. Consider this candidate GDPR legislation wording: “In order to ensure free consent, … consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse to withdraw consent without detriment... The data subject shall have the right to withdraw his or her consent at any time.”
The most strategic long-term approach? Put in place mechanisms for user-consented transfer of data. Luckily, the technology now exists to make this possible: this is where User-Managed Access (UMA) can play a pivotal role.
UMA is a next-generation privacy standard that builds on today’s OAuth web authorisation protocol and gives users convenient, centralised control over how their data is shared, even with multiple data sources. It does this by allowing users to choose ‘scopes’ of sharing based on specific rules – so they can tailor what information they share about themselves, with whom, and for how long. For example, a householder with UMA-enabled smart home devices could delegate video doorbell access to her house sitter for purposes of viewing who’s at the door and letting people in, but not allow the sitter to disable the doorbell camera.
For businesses looking to embrace digital transformation, UMA represents a hyper-efficient solution to the privacy and consent conundrum. By successfully combining both identity management and effective privacy controls, UMA delivers the ‘privacy-by-design’ capabilities today’s corporate and government-based organisations need to respond to data protection obligations.
As the debate continues to rage about what constitutes ‘informed consent’ and whether this can be applied to high dimensional data, it’s worth remembering that privacy is NOT secrecy – rather, it’s all about context, control, choice and respect. And that’s exactly what UMA brings to the table.
As organisations look to respond to the implications of the Safe Harbour ruling, UMA represents a sustainable and agile approach to post consent management. Providing, as it does, a unified control point for people to authorise who and what can get access to their online personal data, content and services.
Eve Maler, VP of Innovation and Emerging Technology at ForgeRock
Image source: Shutterstock/Maksim Kabakou