Safe Harbor for the cloud - not any port in the storm

Lighthouse in front of a dark cloudy background
(Image credit: Shutterstock)

Safe harbour, according to my dictionary, is anywhere or any situation that can offer refuge or protection. Delve into a legal dictionary and the definition becomes, as you might expect, a little more wordy: 'a safe harbour is that provision of a statute or regulation which specifies certain conduct will be deemed not to violate any given rule'.

However, you can get even more convoluted than lawyer talk, if you want real complication then you have to start looking at safe harbour in the cloud.

I'm pretty sure that most people reading this will be au fait with the Safe Harbor Scheme (note the US spelling, this will be used to describe the legal framework rather than the concept from now on) run by the US Department of Commerce. But for those who aren’t, here’s a brief recap.

Dating way back to the start of the millennium, Safe Harbor essentially enables an exchange of data within European data protection regulatory guidelines by requiring that US-based companies follow basic principles; for example, informing those concerned how their data is collected and used. Adhere to the Safe Harbor rules (and compliancy is self-certificated just to throw the first privacy spanner in the works) and EU businesses can happily throw their data in the direction of US-based cloud providers without breaching data protection laws. Or can they?

Germany opted out of the Safe Harbor agreement, and even before the whole PRISM thing exploded into the public consciousness (introducing bloody big privacy spanner number two) Europe as a regulatory whole itself appeared uncertain as well.

The European Commission Article 29 Working Party throws the third and final spanner in the direction of Safe Harbor when it talks about cloud providers adopting 'reasonable measures' to prevent 'interference with the integrity of its IT systems' and suggests, in fact recommends, that communications between cloud provider and cloud customer be encrypted along with communications between data centres. It goes further than that, recommending that any remote administration of a cloud platform should only be executed via such secure channels.

The recommendation also stated that the working party considered "companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification" - well, no smelly stuff Sherlock, really? "The company exporting data should obtain evidence that the Safe Harbor self-certifications exists" the recommendation continued "and request evidence demonstrating that their principles are complied with".

The simple fact of the matter is, surely, that the US has never been considered a safe place to store data. If it were, then a Safe Harbor agreement would not have been required in the first place.

Post-PRISM, we seemed to ready assume, as our starting point, that there is inadequate privacy protection for data in the US. To try to get to grips with whether I'm right to having such major doubts myself as to the real-world viability of self-certificated Safe Harbor security promises set against a backdrop of data snooping at the highest governmental levels, According to (http://www.sidley.com) who specialises in privacy, data security and information law, William Long, about whether Safe Harbor can be considered anything of the sort now.

He told me that following on from the NSA revelations the European Commission is now reviewing the EU/US Safe Harbor framework with the European Commissioner for Justice, Fundamental Rights and Citizenship, Viviane Reding, stating that “the safe-harbor agreement may not be so safe after all”. Reding went on to add, out of interest, that Safe Harbor could be "a loophole for data transfers" because it allows data transfers from EU to US companies even though "US data protection standards are lower than our European ones". Long also pointed me back towards Germany for clues about the future of the agreement as German data protection commissioners have recently criticized the access to personal data by foreign national intelligence agencies.

In its press release dated 24 July, 2013 the Conference of German Federal and State Data Protection Commissioners announced that German data protection supervisory authorities will not issue any new permission for data transfer to non-EU countries and will examine whether such data transfers should be suspended on the basis of the Safe Harbor framework and the standard contractual clauses until it is guaranteed that foreign intelligence agencies do not have unlimited access to personal data of German citizens. The Conference called on the Commission to suspend its decisions on EU – U.S. Safe Harbor framework and the EU-Standard Contractual Clauses until further notice.

"It should also be noted that under the proposed EU Data Protection Regulation, as amended by the European Parliament’s Rapporteur Jan Philip Albrecht" Long points out "the US Safe Harbor will only remain in force for two years after the Regulation takes effect". Long ponders that this may lead to companies, such as cloud providers and cloud customers, needing to assess whether their data protection compliance efforts and data transfer solutions (such as Safe Harbor) remain valid and whether to consider other data transfer options such as Binding Corporate Rules which are now available for data processors such as cloud providers.

Binding what now? "Binding Corporate Rules for Processors is a global privacy policy adopted by a data processor, such as a cloud provider, based on European data protection standards which once approved by relevant EU data protection authorities allows an international organisation to transfer personal data outside the EEA to its other group companies" Long explains, continuing "Binding Corporate Rules for Processors have been recently launched by the EU in January 2013 and they should prove popular for cloud providers".

Given the total disarray that the Safe Harbor framework seems to be in now, popular might be an understatement...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.