The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not possible. The court was also aware of the National Securiy Letter problem which renders any legal protection ineffective.
Translated into a day at the office the court ruling does not allow any European companies to use resources outsourced to US-American companies provided they want to adhere to European privacy protection laws. This does not come as a surprise. Even without the news items trickling from the Snowden archives the „Safe Harbor“ agreement has never been more than a list of organisations promising to follow EU Directive 95/46/EC. Without being a law or a treaty it was basically a shopping list for people interested in outsourcing infrastructure and services. This has changed now, despite no one has publicly reacted in terms of modifying the outsourced resources and moving them back into privacy law compatible regions. It seems that despite the best „Cloud“ advertising it is not that easy to move „cloudy“ operations from one place to another when it comes to data protection.
Of course there are other ways. You can always sign an agreement such as standard contractual clauses or binding corporate rules (BCR) to solve inequalities. Given the potent threats to data privacy and security it won’t be stronger than the old „Safe Harbor“ agreement. The court’s decision raises some pretty fundamental questions about how and where (parts of) your infrastructure should be and data should be stored.
Information security needs to address these issues as well. The „Safe Harbor“ agreement was no technical solution. It was a hack, and now it is officially busted. However it was part of the information technology infrastructure of many companies. Thus it needs to be part of the security strategy. DeepSec 2015 has a focus on (industrial) espionage. Learn how to protect your digital assets from third parties – technically and legally.