back to article Don't panic, biz bods: A guide to data in the post-Safe Harbor world

The Safe Harbor agreement this week suddenly became of interest to a lot more IT managers than had previously given a stuff about it. But what is Safe Harbor, exactly? The Safe Harbor agreement between the US and the EEA - which comprises the member states of the EU plus Iceland, Norway and Liechtenstein – dating from 2000, …

  1. Jason Bloomberg Silver badge

    IANAL but didn't the ECJ effectively rule that the US does not have adequate laws in place to provide satisfactory data protection?

    Isn't that a ruling which, no matter what due diligence is undertaken, rules America out as an acceptable place to process data?

    1. Anonymous Coward
      Anonymous Coward

      You got it in a nutshell

      Point eight of the Data Protection Principles states

      "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

      The ECJ has said that the USA does not comply.

      Point 9 of the checklist says

      " If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?"

      We know that the US authorities (NSA, FBI, etc) can demand access to any data held in the US, and that data holders such as Facebook. Microsoft, Apple etc will obey their masters, so the only way to protect this data is to use strong encryption and refuse to give the keys. This is illegal in the USA and they can try to extradite you from the UK if you try it. UK authorities have shown themselves happy to comply with similar extraditions.

      I expect not much will happen until an activist like Max Schrems takes the next step and starts proceedings against the Data Protection Manager of one of these companies. A bit of jail time may focus their minds on the need to de-USA data storage.

    2. Anonymous Coward
      Anonymous Coward

      Isn't that a ruling which, no matter what due diligence is undertaken, rules confirms America out as an acceptable place to process data?

      Fixed it for you. It's old news for those that need to work with information that Data Protection classes as "sensitive".

    3. nsld


      That is the key point.

      You can try to polish the turd with BCR's and Model Contract Clauses but you will still fall down on the article 8 (2) requirement.

      The only way to get round that would be a change in US law to afford aliens more privacy rights than the locals or a change to FISA and the Patriot Act (amongst others) to add oversight and redress to the process.

      Neither of those is a vote winner from a US perspective, can you imagine Donald Trumps reaction to "aliens" having more rights?

      The issue is really that its the Data Controllers responsibility to ensure that the requirements are met which means not sticking data into the US until things change.

      The big players got ready for this in advance with EU data centres etc its now upto the smaller players to get into a better position.

    4. a_yank_lurker

      Given the fondness of US three letter criminal entities (er federal agencies) for snooping, backdoors, and any other illegal data grabbing/fondling they can come up with the US was never and is not a safe place to process data.

  2. Anonymous Coward
    Anonymous Coward

    The only thing you have to really know ..

    .. is that this is not a new problem. It's only become public that it is a problem. Anyone with a basic understanding of how Safe Harbor works and with a real desire to protect customer information would not have even considered hosting anything sensitive in the US.

    The first lesson when dealing with something that has a massive political angle is that you ought to remain calm and not act too quickly. Think, observe and wait until the dust has settled - there is another verdict pending which will define just how unsafe your data is in the hands of a US provider (yes, unsafe, it has never been safe, irrespective of what they're trying to tell you). I would wait at least until the end of this month before finalising any migration plans.

  3. alain williams Silver badge

    The cynic in me ...

    thinks that this will be a hot topic to a few nerds in the IT/database world for a few weeks. Then some smart ass lawyer will come up with something that doesn't change anything at all but will allow everyone to go back to sleep. The company CEOs, etc, will-fully keeping their eyes shut tight while singing 'La-La' because they don't want to go through the bother of doing anything.

    If someone complains, the answer will be 'sue us' (after being ignored for months). It will be up to a few individuals to do something - spending lots of money.

    By the time it gets to court TiSA will be in force and muddy the whole issue - if not allowing anyone to do anything with anyone's data. If a government tries to stop them, the government will be sued under TiSA provisions.

    The data protection registrar will remain quietly asleep.

  4. Your alien overlord - fear me

    Call me ignorant but if your data is 'in the cloud' how do you know the cloud data won't move to the USA (or anywhere else really) without your knowledge? After all, it's in the cloud and as we all know, clouds drift where they like, ignoring country borders.

    1. Anonymous Coward
      Anonymous Coward

      @Your alien - It's just like in real life!

      If you look up the sky and see a cloud in Europe and do the same in the USoA, that doesn't mean they're the same cloud.

    2. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    That data is ours

    So USA keep your mits off it. We can misuse it well enough ourselves without your help ok!

    1. Anonymous Coward

      Re: That data is ours

      Last time I looked, the various EU intelligence services fell all over themselves setting up sharing arrangements of the 'take' with the NSA. So it's all your data belong to US. Your intelligence agencies need a muzzle just as much, if not more, than ours. What evil have we all wrought by merely doing nothing.

  6. Anonymous Coward
    Anonymous Coward

    American data in UK

    I run a small company in the UK and have quite a number of American customers, is there any requirement to keep their data safe seeing as they are not European?

    1. alain williams Silver badge

      Re: American data in UK

      The EU data protection laws do not make a distinction of who the data subjects are. You should thus look after data about people from the USA as well as you would data about people in the EU.

      This does raise an interesting point: since the USA is unsafe how much data about USA customers should you share with people in the USA. In particular if the FBI ask you for what a 'mercan has been up to, should you comply unless they get a court order in a UK court to compel you to ?

    2. Doctor Syntax Silver badge

      Re: American data in UK


      "Where the country (or territory) of origin of the information is outside the EEA it is important to remember that the DPA is not intended to provide a different level of protection for the data subjects rights than that provided by the data protection regime,if any, in the non-EEA country of origin."

  7. Anonymous Coward
    Anonymous Coward


    so - let's take a hypothetical EU citizen (lets call her Angela). She uses Microsoft's servers in Ireland.

    A court in the United States orders Microsoft to transfer data outside the EEA in the absence of a Safe Harbor Agreement, and without providing a valid warrant, under Irish law, for Angela's data.

    How does that fit in with data protection? ;-)

    1. Yet Another Anonymous coward Silver badge

      Re: confusing?

      Then Microsoft will be breaking the law in Ireland and will be prosecuted to the full power of the Irish DPA (a room above a chip shop) can bring against a massive US corporation who have a sweet deal with Irish government to keep their HQ there and pay bugger all tax

      ie they will do nothing

  8. Anonymous Coward
    Anonymous Coward

    It's all an Act. They'll keep doing it anyway and blame it on a couple of software engineers.

  9. Griffo

    Legal Constructs to save the day?

    Think about how this adds to the current case of Microsoft (yes Microsoft for all you MS haters on here) fighting the US government to protect their customers data stored in Ireland.

    If MS lose that case, and they can't come up with a solution to the safe-harbour ruling, then they are probably going to witness the destruction of their overseas cloud business. I doubt they don't have a plan up their sleeves that would involve some kind of break-out of the cloud side of the business to "partners" established in each datacenter country. A bit like they do with Vianet in China. That way the data would be hosted by an in-country organisation that would be solely bound by that countries laws.

    1. Looper

      Re: Legal Constructs to save the day?

      Potential outcomes of: "If MS lose that case"...

      1/ The US govt legally (in the US) demands that MS hand over over the data.

      2/ MS EU giving the data to the US govt is illegal (in Ireland and every other EU member state), since the data pertains to citizens of EU member states, and must respect EU privacy legislation.

      3/ Any citizen of any EU member state can bring legal proceedings against MS EU if they comply with the US govt demand for the data.

      4/ The US govt can bring legal proceedings against MS if they do not comply with the US govt demand for the data.

      5/ MS get sued either way. They will probably go the way of least collateral damage.

      6/ Watch as the US IT corporate world either a) goes into meltdown, b) comes up with a new legal arrangement for their offshore entities that disconnect themselves completely from US ownership, and thus avoid compliance with US law.

      7/ Watch the backlash against the US govt from the marketplace.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like