Safe Harbor: should America be brought into line with Europe?

Or will the reverse be true...? Since the Safe Harbor Act was recently revoked by the European Court of Justice, Dutch data centres and cloud hosters have been inundated with questions about it. There seems to be a lot of confusion regarding the safety of data that is stored outside the Netherlands.

What can you do to ensure your suppliers keep your information secure? Is it likely that the US will have to conform to Europe in this regard? Is it not more likely that Europe will have to conform to the US model in the long run?

Whether we are concerned with cloud, hybrid cloud, IaaS or SaaS, we can no longer work without this flexible form of computing. However, the privacy-sensitive data of Dutch companies that is stored in the cloud must comply with all the privacy rules applicable in the EU, even if the data is transferred between international data centres.

Until very recently, the Safe Harbor Act offered some guarantee that the data would also be covered by European legislation even if it was stored in the US, but since this act was revoked by the European Court of Justice, this is only the case if your data is stored in Europe. This is because US public bodies are not covered by the agreement, as a result of which the US government may request legal access to data in data centres, even in Europe, as long as it belongs to US companies. Is this such a bad thing?

Well according to European law it is, certainly in light of the revelations made by Edward Snowden.

Safe harbor is a relative concept

The abolition of the Safe Harbor Act will certainly have consequences for the service provided by international data centres and public cloud providers. We may even see this reflected in the costs of these services.

In many cases, the solution is for new agreements to be concluded with American data centres, who must guarantee that they conform to European privacy legislation. However, we cannot ignore the fact that the US is still head and shoulders above Europe when it comes to services related to cloud and data centre solutions. We cannot ignore this difference in scale and assume that the US will easily conform to the European model. It may not happen immediately but Europe may well give up on the battle for privacy in a few years' time.

I can also see parallels here with the extremely limited expectations of the younger generations regarding privacy. What will happen in future when they are the ones making the decisions in business? Will we continue to worry about privacy and information security or will we consider it completely normal for data to be accessed anywhere in the world? In the latter case, this would mean that we would have long been conforming to US legislation. In addition, I wonder whether the US is really the greatest threat to our privacy. Other countries may well present an even greater danger.

New agreements

The alternative to all of this is to make sure you obtain the right information from your provider of data centre or cloud services. Ask them which of their suppliers will have access to your processed data and whether they comply with European privacy legislation. Data centres must enter into what is known as a Data Processing Agreement (DPA) with their suppliers for this purpose.

It is certainly possible therefore to achieve adequate legal privacy protection for data in the US. It is also possible, however, that this controversial discussion will eventually become irrelevant in the long run when the younger generation calls the shots. We may even adjust our view to be more in keeping with American legislation as it is today. Perhaps a new agreement will appear in the short term that will replace the Safe Harbor Act and be applicable on a worldwide scale. But if you really want to be assured of the privacy of your data at present, you would be advised to keep your data in Europe for the time being, preferably with a Dutch hosting company.

Media
  • safe-harbor.jpg