How tech vendors are reacting to the Safe Harbor ruling

Safe Harbor was all about ensuring U.S. companies could operate freely on an international scale. That safe harbor, however, doesn't seem so safe anymore.

Tech vendors speak out Safe Harbor ruling

Safe Harbor is the quaintly named policy agreement between the U.S. Department of Commerce and the European Union (E.U.) in November 2000. The agreement was designed to regulate the way that U.S. companies export and handle the personal data of European citizens. It is a compromise that was set up in response to a European directive that differed from traditional business procedures for U.S. companies dealing with the EU. In 1998, the EU established the European Commission Directive on Data Protection, which prohibited data transfer to non-European countries that did not adhere to stringent criteria. In effect, because the guidelines were very strict, they made it illegal to transfer most citizens' personal data outside of Europe.

Safe Harbor rectified that and, since 2000, U.S. companies have enjoyed the certainty that it brings. That is, until a few weeks ago when European Court of Justice (ECJ) Advocate General Yves Bot decided to call for the invalidation of the Safe Harbor agreement between the United States and the European Union.

The call was a direct result of an action filed last year by Austrian law student Maximilian Schrems. Schrems filed a complaint with the Irish Data Protection Commissioner claiming that Safe Harbor did not sufficiently protect his Facebook data that was stored in the U.S. and hence was subject to government surveillance. That action was thrown out by the Irish Data Protection Commissioner. Schrems, undeterred, appealed and the case nonetheless and got it sent to the ECJ.

The ECJ agreed with Bot's opinions and overturned the Safe Harbor agreement, thus resulting in a potential suspension of data transfer should a particular company not adequately protect user data.

Much has been written by commentators about the decision, but I thought it was worthwhile talking to some vendors about their perspective on the decision.

Alistair Mitchell, CEO of UK-founded (but now headquartered on both sides of the Atlantic) file sharing vendor Huddle, has probably more experience balancing these tensions than most. Huddle was an early government winner, securing a whole-government contract in the UK. Mitchell said that:

Concerns over data residency are not new, but they’re growing. What was once limited to the public sector and government has now extended to highly regulated industries such as accounting, consulting and banking. In our survey of 4,000 government IT professionals and employees, 66% ranked maintaining UK data residency as important. Today, more than 5,000 companies rely on Safe Harbor for transferring EU data to U.S. servers. While this week’s decision does not spell an immediate end for Safe Harbor, it does give regulators the right to investigate and suspend data transfers if they don’t feel the data is significantly protected — potentially a major setback for businesses that want to collaborate across borders. Negotiations between the U.S. and EU are already underway, but keeping in mind that they’ve been ongoing for the past two years, it will be more important than ever for companies to look to to conduct a risk assessment as to the adequate level of protection needed for their data.

To ameliorate these risks, Huddle maintains data centers in the UK and within Europe (as well as a totally separate instance within the U.S).

Tom Kemp is CEO of identity management vendor Centrify. Centirfy is a U.S.-founded and based company and hence could be expected to have a slightly different take on the situation. Kemp had a nuanced view on the news, and one which differentiated between various types of technology vendor. As he pointed out:

For companies whose business it is to consolidate and analyze data and then sell indirect access to this data (e.g. Facebook), the dissolution of Safe Harbor is problematic as it impacts their core business model. For cloud vendors that sell to enterprises where the focus is on processing and analyzing a single customer’s data (vs. aggregating multiple customers’ data), it should be less of a problem. This is assuming that they have built their cloud platform to support multiple cloud instances that can be deployed in local data centers and giving customers the option of choosing which data center they want to use when they sign up for the service. Unfortunately, most cloud vendors who sell to enterprises have probably not set up their cloud offering in this way and don’t have multiple data centers throughout the world.

Self-interest obviously (Centrify follows this geographically granular approach), but a valid view nonetheless.

Cloud infrastructure vendor ProfitBricks is in a third category. An existing strong player in the European (especially German) market, ProfitBricks is trying hard to move into the U.S. market. CEO Andreas Gauger said that:

The EU’s ruling has made the cloud very physical by shifting the focus to the physical location in which it is stored and how it is transferred. One sure way that U.S. companies can comply is to only shortlist EU companies that have data centers located in the EU. They should also make sure to understand and meet the data protection laws in each country in which they plan to do business. If the companies plan to have customers in the large German market they should only pick a company registered there, with data centers in Germany itself. It’s next to impossible to meet the German data protection laws' requirements without signing an agreement with a German company. This is an unfortunate and costly ruling, and undermines the long-standing commitment that infrastructure providers have used to implement data protection methods for customer data. Quality IaaS providers provide customers with secure, cloud-based virtual infrastructure and are flexible enough to run the tools and software defined networking architectures that give customers control over their data, encryption methods and data transfer methods.”

There's obviously a degree of self-interest from all three vendors, but their perspectives, and the advice generated from thos perspectives, are valid.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.