After safe harbour: Navigating data sovereignty
Do you know where your data is?
Max Schrems has a lot to answer for. The Austrian is single-handedly responsible for bringing down a key transnational data agreement that has left cloud service providers scrabbling for legal counsel. This is either a good thing, if you’re a privacy activist concerned about intrusive US surveillance policies, or a confusing and worrying one, if you’re a provider or customer of cloud services.
Worried by the Edward Snowden revelations, Schrems questioned the Irish Data Protection Commissioner, on the basis that Facebook was collecting his data in Ireland and then moving it to the US for processing. The Irish DPC simply pointed to the Safe Harbour agreement and said that its hands were tied.
The case was bumped up to the Court of Justice of the European Union (CJEU), which on October 16 ruled that Safe Harbour was illegal. Its rationale was that it enabled companies to share data for national security purposes but didn’t address whether the protections were strong enough.
Safe Harbour was pretty important to any company that keeps data in the cloud. Established on July 26, 2000, it was a voluntary initiative designed to make it easier to transfer data between the EU and US organizations that participated. Participants were made to follow seven principles:
- Provide notice of how data is collected.
- Provide the option to opt out of data transfers.
- Restrict transfers to third parties.
- Put in place security controls to prevent the loss of collected information.
- Ensure the integrity of the transferred data.
- Permit people to access the data stored about them.
- Make sure you enforce all the above rules.
What it means
The ruling wasn’t a surprise to those in the know, claimed Penny Jones, a European services analyst for 451 Research in a briefing paper on the topic. But it does leave cloud service providers and their customers wondering what to do next. Before, the legality of taking an EU individual’s data outside the region for processing was well understood. Without that agreement, is it still safe to do so? And what does that mean for companies using cloud service providers who process their customers’ data on the other side of the pond?
“Most will now wonder about what will replace Safe Harbour,” said Jones in the paper, “and whether a new regime will provide a solution that can accommodate all firms that rely on compliant practices for transferring data access across the Atlantic, from small to large enterprises and service providers.”
The reaction of cloud service providers – especially US ones – should be of particular interest to cloud services customers, because it may provide them with some guidance on their own decisions. Cloud companies seem to focus mainly on the fact that Safe Harbour wasn’t the only legal protection available.
Facebook said that it relied on ‘various methods’ to guarantee the transfer of data from the EU to the US. Microsoft outlined those methods specifically, explaining that it would fall back on EU Model Contract Clauses in the absence of a clear way forward after Safe Harbour. These clauses govern the transfer of data between data controllers (who decide how data will be processed) and data processors who actually do the work (typically cloud service providers). Model contract clauses detail how data must be managed inside the EU, and when transferred outside the region.
Microsoft started supporting these clauses in its cloud contracts in 2011, and in April 2014, the company became certified under security standards set by the Article 29 Working Party, which is the EU group handling privacy issues in the EU.
Not everyone is confident about the long-term viability of the model clauses, though. One of them is Thomas Owen, head of security at hosting firm Memset. “The problem here is that they’re often opt-in - the customer has to execute them, not the service provider. They also provide similar protections to the Principles that the CJEU has already ruled ineffective,” he said. “A temporary legal panacea maybe, but not a sustainable one and not one harmonised with wider privacy and data protection law. It’s going to cause new problems.”
There is another mechanism, called a binding corporate rule (BCR), which is a code of conduct recognized by the EU.
“This is not taken up by many organizations because it’s extremely difficult to put in place, and very time consuming and expensive, said Daniel Hedley, an associate at national law firm Thomas Eggar LLP’s tech team.
“There is a lot of mixed messaging at the moment,” said Ross Woodham, director of legal affairs at Cogeco Peer 1. “Concrete steps are required to achieve a conclusion by the end of January. However, there are very clear indications that solutions will not be in place by then. “If this is the case, data protection authorities will then talk about enforcements on those in breach of transferring data out of the EU.”
The Article 29 Working Party has set the January deadline, and is reserving the right to begin questioning these other methods after that, Hedley warns. “Reading between the lines, that sounds to me like an attempt to put pressure on the politicians to sort it out,” he said. The trend towards data sovereignty isn’t just affecting US companies, though. It’s happening across the world, all the way through to the Asia-Pacific region. Indonesia has introduced Government Regulation PP 82/2012, which demands that datacenters providing services for its citizens be maintained in its territory. Australia has its own laws, too, imposing restrictions on data carried overseas. There is more law coming down the pipe, too. The EU General Data Protection Regulation (GDPR) is expected to pass into law before long. This legislation has a fundamental difference to the data protection directive that preceded it, warned Deema Freij, global privacy officer at Intralinks, a US firm that provides cloud-based collaboration services for clients.
“Because it’s a regulation it becomes law in all EU countries without having this nuance,” she said. “What’s scaring a lot of people is that there’s no implementation in each of the countries, it just becomes law.” The law also includes some new, more restrictive clauses. These include its application to companies outside the EU who process data on EU citizens.
Do you know where your data is?
All this uncertainty makes one thing pretty clear: companies should have a good grip on where their data is in case the legislative situation deteriorates. The thing is, they don’t. In September, VMware commissioned a study of 250 independent public and private sector organisations to assess their readiness as the landscape shifts. Ninety five per cent of organizations use cloud services, according to VMware’s research, and yet almost two thirds of them don’t know where their data is stored.
So not only is the legal line currently unstable for data sovereignty, but we don’t know whether companies are toeing it or not. If they can’t tell whether the data is all stored safely in the UK, they could be in trouble. That’s a problem, because the industry has spent the last few years telling UK firms that the cloud is a warm, fuzzy and safe place in which to store their data. The whole cloud premise has rested on the fact that your data is abstracted from physical infrastructure, so at least from a technical perspective you don’t have to worry about where it’s stored.
That’s certainly true within your own boundaries – a private cloud environment on your own premises can shift workloads around independently – but when dealing with third party hosting firms that becomes more problematic.
Does this mean that organizations should avoid cloud-based services altogether? Hardly. For one thing, it may not be possible. Almost half of all respondents to the VMware survey were worried that their data may be locked into cloud service provider contracts.
Overall, only a third of organizations with data residing outside the UK would know how to move data from outside the UK back, even if they could. And if they do move the data to another location, it would cost them £1.6m, on average. That’s a bit of a challenge, then.
What organizations are doing about it
What can companies do about it? One of the primary goals has to be finding out where your data is, so that you know what to do with it. Only 37 per cent of the VMware survey respondents knew for sure where their data was, leaving this as a pressing task for more than six in ten IT decision makers. That means auditing your cloud suppliers to find out where they’re putting it.
Knowing where your data is involves working with your service providers. “Cloud providers have a duty to be fully informed on all legal developments that could affect the sovereignty of their customers’ data, while being completely transparent in communicating exactly where they are hosting customer information,” said Michel Robert, UK managing director for Claranet.
Assessing and keeping track of geographical location will be a difficult task for cloud service providers, warned Ashley Winton, partner and UK head of data protection and privacy at global law firm Paul Hastings LLP and chairman of the UK Data Protection Forum.
“In response, cloud service providers at the infrastructure level need to make this easier for cloud service providers at the application level,” he said. Services like programmable storage layers are already paving the way for companies to create data-aware infrastructure, he said, adding that logical partitioning of data will continue to develop in response to these legal challenges. “Already in technologies allowing for portability and vendor neutrality, such as containerisation, we can see this happening.”
While customers and cloud service providers alike try prepare themselves for all eventualities, there are already more developments happening. Eggar’s Hedley believes that talks for a Safe Harbour 2.0 are far advanced. There is also a move in the US to pass the Judicial Redress Act, which would give non-US residents a chance to complain to the same degree as US citizens if their data is mishandled.
And what of Brexit? Some may worry that should the UK leave the EU after a forthcoming referendum, it could introduce more legal hurdles to exchanging data between companies in the UK and the rest of Europe. Hedley said that it wouldn’t immediately cause data sovereignty problems. “In the short term, the only way Brexit could work legally would be a long transitional period of continued harmonisation of laws,” he said. “Plus what the government has mostly been talking about is some sort of arrangement similar [to that between the EU and] Norway where you’d have bilateral trade agreements with the European Union. Part of those bilateral agreements would be compliance with a lot of European law anyway.”
Ultimately, the message here is: be concerned, but don’t be hysterical. Get your house in order by auditing your data and talking to your cloud service providers to understand what they’re doing. The European Commission published its own list of alternatives in the absence of Safe Harbour here, and the UK deputy ICO also published a soothing blog about it at the end of October here, which should reduce the blood pressure a bit. ®