Safe Harbor not safe enough for EU cloud data
EU body suggests flaws in EU/US Safe Harbor agreement
A July 2 recommendation from an independent European advisory body states "Safe Harbor" data protection agreement between the US and EU is not enough to provide true security for European organizations' data. Such an opinion could drastically affect the adoption of cloud computing by European companies in a predominately US-based cloud world.
While this WP 196 recommendation from the Article 29 Working Party is not legally binding, the group carries enough weight in Europe's IT circles to heavily influence decisions on where and how cloud-based data is stored. The group is made up of members from the national data protection authorities from all 27 European Union Member States… essentially the "justice league" of data security in Europe, without the tights.
Safe Harbor is not new to friction between the US and the EU's data protection policies: the policy itself is a compromise to bridge the gap between the EU's 1998 European Commission Directive on Data Protection (ECDDP), which blocked data from being transferred to outside the European Economic Area unless the EU's strict protection guidelines were followed.
The problem was that US policies handled data like names and addresses in ways that were way outside the ECDDP, which would have effectively stopped any European data from being stored on US systems, were it not for Safe Harbor.
Established in the Fall of 2000, Safe Harbor was a compromise that would allow data interchange to take place. Safe Harbor requires that companies follow a certain set of privacy practices, such as informing individuals that their data is being collected and how it will be used.
The WP 196 has directly challenged the notion of Safe Harbor as a viable compromise not because of the principles to which data holders must adhere, but rather the fact that Safe Harbor companies are self-certified.
"…[I]n the view of the Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment," the document stated. "The Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with."
If this recommendation from the Working Party is heeded, it could represent a significant barrier in the adoption of cloud computing in Europe and the US. Most cloud providers are based in the US, and if the Safe Harbor self-certifications aren't changed, a lot of EU companies are going to shy away hosting their data on such services.
This could be the start of a geographically-based cloud war, unless the Safe Harbor procedures are changed to something more to the EU's liking. If US cloud providers don't fix the problem soon, a new crop of EU cloud providers would have a shot to step in and fill the void for EU customers. Right now, the presence of US cloud providers on the market have kept European counterparts from gaining much traction. That could change.
National data projection laws are serious matters, and could be a significant obstacle for One Big Cloud, leaving us instead with smaller clouds based on nations and economic zones.
Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.