Data Sovereignty and Safe Harbor

With a lot of turmoil in the news about Safe Harbor, and a lot of information and uncertainty about where this will end up, we wanted to provide a summary of Safe Harbor to highlight the implications of the recent loss of Safe Harbor protections on US and EU companies.

Data Sovereignty and Safe Harbor

What is Safe Harbor?

The better question is: What was it? – because the highest court in the European Union has ruled that it is not valid anymore.

The Safe Harbor agreement in question was an agreement in place between the European Union Commission and the United States and put into place in 2000 after the European Union passed a new data protection framework protecting personally identifiable data in 1998, such as names, addresses and social insurance numbers.

This meant that US companies could self-certify to adhere to the set principles and any data protection agency in any of the EUs member states was bound by the decision for adequacy of any particular actions by this agreement. Almost 5,000 US companies were self-certified and therefore able to receive data from EU organizations without a large legal framework, contract or actual audits.

The European Court cited the factors of mass surveillance by US agencies and the lack of adequate protection for EU citizens’ rights which are rights under Article, 7, 8 and 45 of the European Charter of Human Rights. These are rights to which any EU institution and all EU countries government organizations must adhere.

The Data Sovereignty Timeline

2000 – Effective year for the US-EU Safe Harbor agreement concerning data privacy

2013 – Snowden Revelations

October 2015 – EU-US Safe Harbor agreement ruled invalid by the European Court of Justice. The European Data Protection Agencies have given the European Commission till January 2016 to negotiate with the US. Otherwise they will proactively start investigating and potentially fining any non-compliant activities. This has no effect on individual complaints, which they are starting to investigate now.

Israel: ILITA, the Israeli Law, Information and Technology Authority has now also revoked their allowance to move data from Israel to the US based on the EU-US safe harbor rules.

Why Do You Care?

If you are handling or processing any data from the European Union (data from any person living there, any work contracts, any data naming individuals in your European subsidiaries, etc.) you are affected.

Based on an individual complaint, any of the European 28 in country data protection agencies could already investigate and determine that it is illegal to store any such data in the United States, or in an United States based service provider, or cloud provider (like Dropbox, Salesforce, Google Docs, etc.).

What Should You Do?

It’s important to understand where data from people in the European Union is processed and stored in your company. This can be in your own organization, in your subsidiaries, at data processing agents or in any type of cloud services. The further away from your control, the more worried you do need to be.

Legal frameworks can be put in place, but the most secure and easy way is to keep and process such data in your own data center or in data centers under your control. Only then can you assure that you actually notice that an act by any security agency does affect any such data. You will also need to apply best security practices and all other items part of good data protection.

What can ownCloud do for you?

ownCloud is an enterprise file sync and share solution that gives you back control over your data. ownCloud can be set up and run by you, in any country, under any jurisdiction and in your own data center(s). This greatly simplifies tracking. With the logging functionality (available in ownCloud Enterprise only) you can demonstrate compliance by proving who has had access to which file at which time from which IP. With the File Firewall you can even block access based on policy.

With Federated Cloud Sharing you are able to communicate between ownCloud Servers in different geographies based on your needs, enabling better control over files. Soon you will also be able to tag entries to include personal identifiable data and act according to those settings.

If you don’t know ownCloud already, you can download our Enterprise Edition appliance and start your Proof of Concept today.

A Message from the CEO

ownCloud CEO, Markus Rex, discusses the impact of the Safe Harbor decision has on him as a German citizen living in the US and as the CEO of a US technology company.

Please fill out the form below to get your download.