No “safe harbor” in PRISM data residency storm?

Although viewpoints on the subject of privacy on either side of the Atlantic have diverged, enterprises have long relied on the “Safe Harbor” provision to allow for data transfers while adhering to data residency requirements. With officials now looking to overhaul the EU Data Protection Directive in the wake of the PRISM revelations, there is a strong possibility the data residency landscape will be a very different one – even as enterprises look to cloud-based services as the future for their IT infrastructure and applications.

Safe Harbor provision enables adherence to data residency requirements

Even before the revelations by National Security Agency (NSA) contractor Edward Snowden, the debate to reform the EU Data Protection Directive centered on the differences between the EU privacy laws and legislations such as the US Patriot Act. Of course, some of the debate was a matter of perception rather than fact. For instance, many EU companies provide their law enforcement and anti-terrorism agencies comparably broad latitude to access private data without the data owner’s consent. Even so, the debate is highly politically charged, with the outcome seeming to favor a more emphatic rather than gradual process to update data protection and residency laws.

What might have in the past been a technical, bureaucratic wrangle has been transformed into a political controversy so intense that the only point of consensus amongst EU members is that the EU Data Protection Directive must be reformed.

What might have in the past been a technical, bureaucratic wrangle has been transformed into a political controversy so intense that the only point of consensus amongst EU members is that the EU Data Protection Directive must be reformed. Any change to the directive will in turn result in cascading series of revisions to laws such as the UK Data Protection Act of 1998 that was enacted to bring UK law in line with the EU privacy principles, as well as Germany’s Federal Data Protection Act (generally referred to as BDSG) that was revised in 2009.

Still, it’s not clear what the outcome will be from the current deliberations of the merits or pitfalls of a single supervisory body for personal data protection with powers to penalize across the EU. It seems a likely scenario that the current Safe Harbor provision formulation could become a victim of the PRISM fall out.

The Safe Harbor provision has been in existence for close to 15 years, and helped to allow enterprises – both multinational and smaller companies – to move their data to certified data centers in the US while still observing data residency requirements. As more cloud service providers look to attract a greater number of multi-national enterprises and companies based in the EU, they have worked toward Safe Harbor certification. The requirements for certification are now likely to be set higher – and possibly so high that few service providers can attain them.

Part of the set of proposals now debated as part of the reform are amendments to the privacy regulations, including prohibiting the transfer of E.U. corporate data to U.S.-based clouds altogether, unless several conditions are met. The conditions include making it very clear where the data is going and that there will be the risk of outside monitoring by intelligence services. The net effect of the amendments, if passed, will be to discourage any customers using cloud-based services that may at some point move data outside of the EU for any reason.

With encryption in use technology, companies in the EU can encrypt their data before it leaves the jurisdiction, and through persistent encryption and retention of the encryption keys can apply the same set of controls for data that is stored and processed outside of the EU.

What are the options for companies that want to move to the cloud, but remain in compliance with data residency requirements – now, and in the future? The one alternative that is emerging is to use encryption as a mitigating control. But encryption that has been designed specifically for distributed, cloud-based services is required. Encryption in use and cloud encryption gateways are practical and commercially available approaches to resolving this question. With this technology, companies in the EU can encrypt their data before it leaves the jurisdiction, and through persistent encryption and retention of the encryption keys can apply the same set of controls for data that is stored and processed outside of the EU. While we advise customers to seek legal counsel on their residency requirements, Vaultive does provide the innovative technology to meet these technical requirements.