Data Protection - Unsafe Harbours

By Jason Scott

With increasing reliance on cloud-based services and the ability for data to be resident anywhere in the world, the EU's approach to personal data protection is under threat. This post considers the history to that approach and some of the issues raised by recent revelations.

A European Perspective

With the rapid increase in electronic processing of data during the 1970’s concerns started being raised within Europe about the proliferation and potential misuse of personal information.  Data on individuals was being aggregated, communicated and used for a rapidly expanding number of purposes – such as credit worthiness checks, employment and insurance background checks and a booming industry in direct marketing.  For cultural reasons financial and medical information was considered to be highly personal but at the same time was among the most valuable for marketing purposes.

Consequently countries within Europe began enacting protective legislation. The details varied but there was consensus on many of the underlying principles. Individuals should be able to know what personal information was being held about them and why, be able to challenge and correct it and to prevent it from being passed on or used for other purposes without their consent.  

Concerns were not just limited to commercial organisations. Many countries in Europe have an uneasy history with the use of personal information by governments for surveillance and there were worries about the misuse of data regarding political affiliations or activities. In the United Kingdom these concerns led to the Data Protection Act of 1984 – ironically the same year as the title of George Orwell’s dystopian novel in which Big Brother exercises almost total surveillance (and thus control) of the population.  

The EU Data Protection Directive

As the practice of companies out-sourcing their data processing to third-parties became more prevalent, there was also concern about the transfer of personal data to other jurisdictions. Increasingly data was being processed in countries other than the one in which it had been collected and where it might not be subject to the same legal protection.  

In 1995 the European Union ratified the Data Protection Directive which required all member states of the European Economic Area (EEA) to incorporate a number of rules (agreed by consensus) into their own data protection laws – thus establishing a European-wide minimum level of protection. In the UK this took the form of the Data Protection Act of 1998, which came into force in 2000.

There are eight principles which underlie EU data protection. Personal data is defined as any data that can be used to identify a living individual and broadly speaking must be:

1. fairly and lawfully processed
2. processed for limited and well defined purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept for longer than is necessary
6. processed in line with the rights of individuals
7. stored securely
8. not transferred to a country that has inadequate data protection controls

Number 8 in this list lead to a big problem. There were many countries in the world that did not meet the EU standard for adequate data protection and one of them was the USA.

EU/US Safe Harbour agreement

The USA was and is a major trading partner for the EU and also provided many of the data processing services that EU companies wanted to use. There was no way that the USA was going to change its legislation to meet European standards, so in the grand tradition of politics a compromise was reached.

The EU and the U.S. Department of Commerce negotiated a Safe Harbour agreement (or “safe harbor” if you are on the other side of the Atlantic). This was a framework by which companies within the USA could be certified as providing sufficient data protection measures to meet EU standards, but without such measures being required by US law. It would then be legal for EU companies to pass personal data to companies in the USA that were on the Safe Harbour List.

The Safe Harbour agreement was not without its detractors. In particular there were concerns that it was a self-regulated system – albeit managed by the Federal Trade Commission (FTC) under the oversight of the U.S. Department of Commerce. There was no system of mandated compliance checks (companies could self-certify) and enforcement would be largely complaint driven. However, after much debate it was finally agreed to by the EU in 2000.

The Patriot Act

A year later the dreadful attack of 9/11 happened and just over a month after that the PATRIOT act was rushed through congress. This anti-terrorism legislation covered many areas but one of the things it allowed was for the US government to inspect the data held by any US company or wholly owned subsidiary – regardless of the Safe Harbour agreement.

This raised a potential issue. While all European countries have laws that provide for access to personal data for state security purposes, the powers afforded by the PATRIOT act appeared to be broader and to have a lower threshold of “probable cause” than would be permitted in Europe. This meant that personal data held in a Safe Harbour company could potentially be accessed in a way that would be illegal in the EU – effectively subverting the Safe Harbour agreement.

   

However, despite this and its self-certification weakness, the Safe Harbour agreement seemed to work reasonably well. The FTC did indeed take enforcement action against companies or organisations that were found to break the rules and the rapid growth in cloud-based services meant that large volumes of EU personal data was held in the US or by US based companies.

Edward Snowden & the NSA

Then in 2013 a disaffected former employee of the USA’s CIA and contractor for the National Security Agency set the cat among the pigeons. Edward Snowden’s revelations demonstrated that the NSA was carrying out systematic and wide-reaching surveillance activities on a huge scale.  While many of the NSA’s activities were clearly legal in the USA, others were questionable and in one case has since been ruled unconstitutional by a US judge.

In addition to the significant damage done to the USA’s relationship with its allies and partners, the revelations re-focused attention on the Safe Harbour agreement with concerns about the US’s regard (or lack thereof) for EU citizen’s data. 

For example, among the many revelations was the fact that the NSA was secretly accessing Yahoo and Google data centres by tapping into undersea cables in order to collect information on hundreds of millions of accounts. Leaked NSA documents mention “bulk access”, “full take” and “high volume” with regard to such interceptions. This kind of dragnet approach to surveillance is highly problematic for the EU – particularly with regard to data protection.

The revelations prompted the European Commission to carry out a review of the Safe Harbour agreement and earlier this year the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee backed a call for its “immediate suspension”.  The EU’s Justice Commissioner, Viviane Reding, threatened to do just that if the US fails to take action to address concerns by the summer of 2014.

“The Commission has made 13 concrete recommendations... Safe Harbour has to be strengthened or it will be suspended.”

Such a suspension would have a big impact on US based cloud service providers, who have already seen a significant decline in business associated with a loss of trust following Snowden’s revelations. However, it would also have serious consequences for the many EU based companies who currently hold personal data in US companies.

Access to Data held in the EU

To make matters worse for EU companies holding data in the cloud, it has become clear that data being held by US companies physically outside of the US is not safe from the PATRIOT act (as had often been assumed). Because the act applies to all US companies or wholly owned subsidiaries it can be used to force an EU based company, such as Microsoft UK or Amazon Ireland, to hand over its data to the US authorities. 

In such cases there may be legal conflicts between US and local legislation, but statements from companies such as Microsoft and Google as well as from the Information Commissioner's Office for the UK, make it clear that EU based US wholly-owned subsidiary companies are vulnerable to the PATRIOT act.

The Safe Harbour agreement in its current form actually increases this vulnerability, since an EU based subsidiary can legally transfer data to its parent company - if that company is registered under Safe Harbour. Once the data is in the US it is entirely within the scope of the PATRIOT act.

Data held outside of the US may also be vulnerable via other means. A US judge recently ruled that Microsoft must provide emails that are held on a server in Ireland. Details of the emails were requested via a US search warrant. Ordinarily such a warrant would not be enforceable outside of the US, but the judge ruled that it should be treated in the same way as a subpoena for documents. Under US law that means it applies regardless of where the documents are held. Microsoft is challenging the ruling.

Consequences

At the moment there is a lot of uncertainty about data protection and the status of personal information held in the cloud. Because the USA is home to the largest cloud storage and service providers it has been the focus of much of the debate - but many of the legal issues and concerns apply equally elsewhere. This includes countries and organisations within the EU itself, such as GCHQ in the UK and the role it has played in the NSA's surveillance activities.

What is almost certain is that there will be changes to EU legislation on data protection at some point and probably changes to the Safe Harbour agreement.  There have been calls to reduce EU dependence on non-EU cloud service providers by developing its own infrastructure and this is likely to continue. It is conceivable that some US companies could partner with companies based in the EU to avoid the "wholly owned subsidiary" aspect of the PATRIOT act. However, doing so might be viewed very negatively by their home markets in the US, so may not be tenable for many of the well-known names.

What is your view?

At MobiCloud we would be very interested to hear whether these issues are currently a concern for companies considering enterprise mobility applications. They may even be seen as an opportunity for European cloud infrastructure providers. For some companies using cloud-based solutions the issues may be almost academic. If you are already in the cloud to stay then do you have other more prosaic or pressing security concerns? Please let us know.