On the 6th of October the Court of Justice of the European Union (the equivalent of the United States Supreme Court) struck down Safe Harbor. Safe Harbor was an agreement between the European Commission (the civil service of the EU) and the US Department of Commerce that allowed data to be transferred to the US by companies operating in the EU on the basis of a self-certified scheme of compliance with a set of principles broadly mapped to EU Data Privacy rules.
Notwithstanding my aversion to any Governance scheme that is based on self-certification (they are well-intentioned bullshit in my experience), nor the litany of concerns that were raised about the effectiveness of Safe Harbor over the years, Safe Harbor was struck down because the Court of Justice determined that it did not provide an adequate mechanism to protect the fundamental data privacy rights of individuals due to the existence of mass surveillance without appropriate and effective judicial redress, transparency, and oversight. Tjis is exactly why the same Court struck down a European Union law allowing mass surveillance last year.
The upshot of the Court’s ruling at 09:30 CET on the 6th of October was that at that time, all transfers of personal data from the EU to the US on the basis of Safe Harbor became unlawful. The Department of Commerce continues to allow organizations to register for Safe Harbor and re-certify their compliance with it. That’s a bit like the messiest high-school break up ever, where the jilted party insists that the other person still loves them and will be their prom date (just you wait and see). In Disney movies, that dogged persistence in the face of obstacles may pay off, but in reality it tends to lead to restraining orders, psych evaluations, and enforced ankle bracelet trackers.
Other transfer mechanisms exist for cross-border data transfers out of Europe to the US. However, they will likely fall foul of the same legal difficulties as Safe Harbor. I’ve described them elsewhere as being like a chocolate teapot – perfectly fine until heated. For now though, EU Data Privacy Regulators are providing a stay of execution until the end of January, after which they have indicated they will begin investigations and prosecutions as needed.
The demise of Safe Harbor is a perfect example of the importance of the “Location” column in John Zachman’s Enterprise Architecture Framework. And just as the Hitchhiker’s Guide to the Galaxy tells us that “every frood should know where their towel is”, Zachman’s Guide to the Information Galaxy tells us that “every froody Data Governance leader should know where their data is”. There are countless reasons for knowing where your data is, including:
- Changes in the legal situation (e.g. Safe Harbor) making it illegal for your data to be somewhere
- Changes in legal situation that require you to invest in technical architecture to keep data in certain places and not others (e.g. Russia requires copies of certain data to be kept locally within their borders, Germany requires data relating to national security issues to be kept in Germany etc.)
- Natural disaster (“hey… that tropical storm is heading towards XXXXX – isn’t that where our data center is?”)
Rapid response can be the difference between up-time and down-time, legal breach and legal compliance, being in business and being out of business. Therefore, your organization needs to have appropriate governance controls in place over where your data is going, but also over the checks that will be done when on-boarding suppliers so that you know where they are putting your data and can assess risks accordingly.
Since the oral hearings in the Safe Harbor case took place in March, I’ve been working with clients to evaluate suppliers and identify where the client’s data is being held. The clients I’ve been working with have ranged from small non-profits to large enterprises. It has been very worrying how many organizations:
- Didn’t know who all their data services suppliers were
- Allowed staff to procure “freemium” services like email or survey providers with no due diligence or plans for integrating data back and purging instances of these systems
- Didn’t know what was the legal basis they had for transfers of data to the US (and other countries), despite this being a legal requirement.
- Didn’t know where it the world the data they were processing was actually being stored.
On the other side, I have been horrified by the lack of understanding shown by the legal departments of very large US-based companies offering services into the EU about the implications of the Safe Harbor ruling. It seemed in some cases like they didn’t think that a ruling of the highest Court in the EU would apply to them and it was ‘business as usual’. It was clear to me that they didn’t have a well thought out plan to respond to the specifics of the EU ruling. They seemed sure that the Improbability Drive errors that had resulted in the fig leaf they’d been relying on to do business in Europe would shortly return to normal.
Unfortunately, this is the new normal. Israel and Switzerland have also suspended their Safe Harbor schemes with the United States since the EU Court ruling.
Hey Frood, where is your Towel?
This has been a very good learning experience for me, my clients, and some of our suppliers. They are now aware of the importance of knowing where their towel (data) is. I have some great examples of the impacts of not considering the location column of Zachman.
Of all the companies I’ve spoken to who are based in the US but doing business in Europe, only ONE came back with a clearly articulated plan that addressed the underlying issues in the CJEU ruling and had enough structure to it to be credible. I’ve found viable alternative EU-based suppliers for SME and Enterprise clients for many, but not all, functions provided by US-based companies. The gap represents a viable market opportunity for EU businesses, or for US businesses that want to figure out how to comply and compete on Data Privacy in an EU context.
Google’s restructuring as Alphabet has some interesting elements under the hood that look to me like a contingency plan to split their business (and their cloud platforms) between the US and EU very quickly if needed. They know where their towel is, and they have lots of experience fighting EU Regulators on things and losing. I’d expect to see an announcement from them in Q1 2016 about something along those lines, particularly given their recent investments in EU-based data centers.
DAMA International breathed a sigh of relief that some architecture changes were made to address Location risks of data storage. I know where their towel is and can physically get to the data center that is hosting them in about an hour.
Who Moved My Towel?
Of course, the advent of the European Union’s revised Data Privacy Regulation in early 2016 will bring further challenges. Organizations based outside the EU but engaged in activity targeting residents of the EU (e.g. selling products or services or engaging in behavioral monitoring) will need to comply with EU laws anyway.
So, in addition to knowing where your data is actually held, you will need to know where your data is actually coming from. A classic data lineage problem in Data Governance, but one that will carry penalties with it. Historically it has been difficult if not impossible for EU data privacy regulators to effectively engage in enforcement action against US based businesses directly, but I would not be surprised if the steps that will be taken by the US Government to fix the problems in Safe Harbor will include just that – a mechanism for improved effectiveness of cross-border enforcement of data privacy laws and standards.
2016 looks like it’s going to be an interesting year. The Safe Harbor case is the beginning. Effective Data Governance is the key tool to managing the emerging risks and opportunities. If you want to find out more about how, please get in touch. I have a book with “Don’t Panic” written on it in large, friendly letters.