Breaking News Tuesday 6th October: The European Court of Justice Strikes Down The Safe Harbor Agreement
The decision as reported by Politico telling us there will be an official announcement at 3pm. Quoting from that article:
“The European Court of Justice slammed the European Commission for signing the agreement in 2000, because the pact doesn’t give citizens the right to complain about the handling of their data, nor does it even meet the standards set out in the Commission’s own Data Retention Directive”.
It will take some time for people to work out the full implications, but lawyers are no doubt rubbing their hands with glee. In terms of your data protection and security concerns, you need to assess how much reliance has been placed on Safe Harbor in contracts with vendors. Either explicitly or tacitly there will be some reliance, as no firm can demand foreign companies comply with their domestic data protection laws without an international agreement…no matter how ineffective that agreement might have been. One key area of focus is notification (explicit agreement of data owners to have their data handled in a specified way) as explored more in this Business Insider article.
Onus therefore falls on individual companies to broker contractual agreement about acceptable data protection and security controls during due diligence and contract negotiations. There are model clauses the ICO can provide, but there’s no guarantee they will stand up to medium term scrutiny and that’s hard to revisit during the term of an agreement and hard to broker if you are a small fish in a giant vendor client sea.
Going completely back to basics, does this mean your data is more likely to get transferred without your knowledge, damaged, lost, or stolen by US ‘safe harbored’ firms? The answer is the same as it’s always been…good firms will be transparent, implement robust controls and allow you to verify them. Other firms, who offered none of those things and previously had Safe Harbor to hide behind, won’t.
For more on the origins, content, management and politics of Safe Harbor, see the original post below.
There is a frequent and dangerous misconception that sharing confidential data with a ‘Safe Harbored’ US vendor (or anyone’s Safe Harbor approved sub-contractor) automatically confers some security…IT DOES NOT.
Safe Harbor is very much like data protection legislation, in that it doesn’t get into any specifics about security control requirements.
It’s a policy agreement established between the United States Department of Commerce (DoC) and the European Union (E.U.) in November 2000 to regulate the way that U.S. companies export and handle EU citizen’s personal data.
Sadly, that doesn’t stop the US government being able to poke around in data hosted on their turf if they find a reason to use the Patriot Act (or other fairly draconian data access and retention rights embodied in US surveillance and counter-terrorism law)…
…in fact, that’s about ALL folk have reported on lately. I wonder (Snowden) why.
Broken people, process and technology controls, plus mistakes in the vendor organisation, should be (I would strongly argue) taking up far more column inches and mindspace. The Verizon 2014 Data Breach and Incident Report (DBIR) put the figure for incidents linked to government sponsored action at 19% (that’s a global not US specific figure and attribution is a fun game). Shocking, but by the same yardstick, that leaves over 80% of incidents down to others. Even once you’ve mentally adjusted for the stuff we don’t get to hear about, I still reckon ‘other’ is in the majority.
We don’t really know how much snooping is permitted by less than great security controls vs master spy cyber tactics. What we DO know is that holey security is an open invitation to garden variety, profit motivated criminals.
US Government departments involved (in this case the US Department of Commerce’s International Trade Administration) seem to have historically had fingers in ears chanting “la, la, la” about that (granted, the below quote is from 2013 and things may have changed since then…..?) They said:
“US firms’ compliance with the Safe Harbor principles was sufficient to guarantee adequate data protection (8-page / 174KB PDF) whether the outsourcing arrangement involves the use of cloud computing technology or not.” Out-law 22nd April 2013
EU firms had been told by an EU privacy working party to check rather than assume Safe Harbor certified cloud vendors were complying with EU Data Protection legislation, but then they were told they shouldn’t. More on how that went down later. The Out-Law site has lots of other good related news and guidance, including this article, but what might focus minds, if they’re not focused already, is the way the export.gov US Trade Commission site (the home of the Safe Harbor Scheme) sells the benefits:
U.S.-EU SAFE HARBOR BENEFITS
The U.S.-EU Safe Harbor program provides a number of important benefits to U.S. and EU organizations.
Benefits for participating U.S. organizations include:
- All 28 Member States of the European Union will be bound by the European Commission’s finding of “adequacy”;
- Participating organizations will be deemed to provide “adequate” privacy protection;
- Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted;
- Claims brought by EU citizens against U.S. organizations will be heard, subject to limited exceptions, in the U.S.; and
- Compliance requirements are streamlined and cost-effective, which should particularly benefit small and medium enterprises.
Think about it a little harder if your eyebrows aren’t already raised. The Safe Harbor security requirement is defined thus:
“Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction”.
As the US chaps say, the definition of ‘reasonable precautions’ for EU resident firms is referred out to EU Data Protection Law (a run down on their reasonableness/appropriateness benchmarks is here). The security part goes like this:
“According to Article 22 of Regulation (EC) No 45/2001, the data controller shall implement appropriate technical and organisational measures to ensure an appropriate level of security in relation to the risks represented by the processing and the nature of the personal data to be protected.
Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of processing.”
Safe Harbour self-certification & how we shot ourselves in the foot
Stack on top of this the fact that aspiring participants still self-certificate. I searched the web page with ‘Helpful Hints‘ on self-certification and came up with ZERO mentions of the word security. The full guide to Safe Harbor self-certification does better with 14. That’s 14 times the word security is mentioned in a 61 page document. I’m far from the first to call out the doubtful value of this.
In July 2012 a working party made up of representatives from data protection authorities in all (then 27) member states, said it wasn’t good enough for Safe Harbor scheme cloud vendors (or cloud vendors with Safe Harbor sub-processors) to just say they were compliant with EU DP law. No indeedy! Firms using their services had to get them to prove it, or be deemed in breach of their domestic DP laws:
Says the data protection bloke covering all 27 branches of Fred’s Car Parts Ltd
“…give us a look round your US data centres”.
Yeah, that was always going to work. Bringing us back to when the ITA responded saying folk pretty much had to take Safe Harbor certification as proof of ‘appropriate’ security. How, to my (not legally qualified) mind, that works:
Approved members of Safe Harbour are de-facto ‘appropriately’ secured by EU DP standards (they shouldn’t be approved otherwise). Following conditions of the EU-US agreement, folk from individual EU member states, have no right to unilaterally impose more rigorous oversight on Safe Harbor US firms than on any other EU DP compliant firm in any other country, because the agreement was struck with the EU as a whole. Did you follow that? Hope so.
See the pickle we’ve gotten ourselves into? No good security benchmark, no burden of proof and no independent assessment. Just US vendors ‘proving’ to the DoC (with what looks like scant evidence) that they can ‘reasonably’ secure personal data because they have risk appropriate operational and technical security ‘measures’ in place. Then the DoC says (with far higher values than just ensuring a smooth flow of cash from the EU to the US):
“Right you are, here’s a Safe Harbor badge and by the way, don’t forget your DoC stamp saying you’ve met European data protection security requirements too”.
The ITA agreed it’s right for firms to set out their own DP and security requirements in contracts with Safe Harbor scheme members, but if we try to check adherence to rules, the EU-DoC deal gives them a way to resist (usually block) that. A deal apparently struck without properly considering the small-print. Europe didn’t take that laying down. Well they kinda did, barring some noise, until Snowden happened.
Snowden’s first revelations hit in June 2013. In July the EU Commission was tasked by the European Parliament to undertake an enquiry. In October 2013 the investigatory committee announced it would, among other things, be recommending suspension of the Safe Harbor agreement. But, in November 2013 the EU Commission said no it wouldn’t get suspended after all (a decision that was supported and encouraged by the UK government).
Snowden and the EU-US data transfer fun
Instead of suspending the agreement, the EU commission decided to beef it up. Negotiations tipped in their favour by the early and ongoing Snowden revelations. The same article linked to above goes into conditions and controls the commission sought to impose, including establishing an EU data cloud and leave (if there was a material breach of imposed rules by the US), to revisit the question of Safe Harbor suspension. The US government were told to sort the gaping holes in oversight by the summer of 2014.
So lotsa huge firms are part of the ‘new’ ‘beefier’ Safe Harbour. including giants like Facebook, Microsoft and Google.
There’s also the Federal Trade Commission, who have oversight of Safe Harbor among other responsibilities. They have been pursuing complaints. Here’s their response to the EU investigation and this Privacy Advisor article looks at historical cases brought. I’m not questioning their diligence (I don’t know enough to do so), I’m just focussed on the poor tools (‘appropriateness/reasonableness’ definitions) they’ve been given to do their job.
The rest is more familiar news about the shake-up of the secret service world, but the Safe Harbor agreement still jogs on. It doesn’t mean this story is over though. There are some very high profile characters in the European Parliament shouting loudly about exactly the kind of security oversight failings I have highlighted here. Most notably Commissioner-designate for the Digital Internal Market, Andrus Ansip, threatening again to kill Safe Harbour.
Is National Security making folk ignore Security Security?
So why is the security coverage in Safe Harbor docs and EU counterparts still so woefully inadequate? The fact remains, as I said at the start, that security within vendor businesses isn’t required to meet any recognised security standards. While the avalanche of national security and data protection legislation quickly (think UK’s – passed in 7 days – Data Retention and Investigatory Powers bill) or slowly (think the EU’s everlasting Data Protection law update) tumbles on, is no-one actually checking security? It very much seems not.
Ongoing security implications
Just for fun, lets say there was a breach of personal data controlled by the EU DP guys. Something they had stuck in a cloud unaware that, somewhere down the supply chain, it ended up in a Safe Harbor approved data centre. The root cause is pinned down to a coerced insider, hacker who exploited network insecurities and/or malware with data exfiltration capability. All the EU required Data Protection processes and documents were found to be more than ‘appropriate’.
What are the chances a US firm will be penalised? Bearing in mind the lack of security benchmarks, independent assessments and the limited liability for Safe Harbor members featuring in the DoC sales pitch. Keeping my cynic hat on for a while longer, is this how it might play out in court?
“Honestly m’lud, their controls weren’t appropriate, the breach proves that”
“Why didn’t you check if they were?”
“Because we weren’t allowed to”
“Because we said if they said it was ok, it probably was”
“So how exactly does the security exploit, or state of exploited controls, breach your aforementioned definition of ‘appropriate’?”
Doesn’t feel like a sure thing. Now try to grasp how likely it is that some of your or your customers’ personal data is in that same situation. If there was a breach, how would you respond? How likely is it you’d know with your increasingly long, complex and cloudified supply chain? Where is the motivation for a vendor to provide a secure service, promptly notify breaches and transparently reveal details of sub-contractor security?
The answer is with YOU. You and your due diligence, the leverage built into your contracts, or the (possibly expensive) decision to avoid using firms who can’t or won’t be transparent. After all, moderate post breach fines and short-lived sales and share price slips have proven themselves to be weak sticks compared to operational and development cost saving ‘carrots’.
A possible in?
There’s also a little wriggle here, in that financial institutions may be able to leverage financial regulations to get to have a poke around. Quoting a senior partner at Pinsent Masons at the end of the previously quoted Out-Law article:
“While a US cloud provider may have satisfied the requirements of EU data protection laws as to providing ‘adequate protection’, this does not affect obligations imposed on financial services firms under separate EU financial services laws such as MiFID”
Going on to say that this should (does?) get EU regulated financial firms in to look at primary US suppliers, or US sub-processors, as long as the regulators on this side of the pond carry on seeing physical access as a necessary right.
Talking of typically risk-averse financial institutions, there’s a separate (but almost identical) Safe Harbor agreement between the US and the Swiss. Firms self-certifying to Safe Harbor are meant to meet Swiss DP requirements. I know little about Swiss Data Protection law, but one would expect it to be brutally tough. Perhaps that’s another ‘in’ (if any US government staff and tech company CEO’s have Swiss bank accounts) because it’s not unimaginable a breach at a US firm could open doors to EU networks for malware, criminals or spies.
Safe Harbour says do ‘appropriate’ security and ‘appropriate’ security equals what the EUDP Law says e.g. putting undefined (but risk appropriate) ‘measures’ in place. BUT no-one knows what ‘reasonable’ looks like, because no-one in the EU is getting to go and check. Snowden said “boy have our governments been taking your citizens for a ride”, the EU said “Stop Safe Harbor”, the EU Commissioner said “Don’t stop Safe Harbor” and instead they made it ‘stronger’, while reserving the right to suspend it if the US government doesn’t sort out spying problems. And yet little seems to have changed.
This has evolved from a very simple “Safe Harbour doesn’t equal secure, do your due diligence” post, to a history lesson on EU-US politics. It’s also become a monster. So, for the last few words, back to the reality of the security day job:
A supplier security reality check
Who here has had a vendor call out Safe Harbor (or any other non-specific standard) like some kind of security shibboleth during due diligence or contract negotiations? Maybe you’ve then seen vendor or internal push back against your insistence on robust security checks? Hopefully some of the info here will help you fight the good fight.
Also, a wee nod to all of the other non-personal, but confidential data that wings it’s way across the Atlantic more or less visibly. Plus the far from stable state of EU Data Protection legislation. The commission are still dragging their feet clarifying implementation and regulation for new rules (and receiving much criticism about that), so, for now (and forever in my security opinion), some simple advice:
- Don’t cut corners with security due diligence
- Know your data risks
- Get security requirements into contracts
- Safe Harbor* DOES NOT equal Automatic security assurance
- Do regular on-going assessments
*Safe Harbor can be swapped with ‘Security certificates’ or ‘Security standards compliance’ as required/desired.
Transferable lessons for any vendor security assurance function and any transfer of data to another legal jurisdiction? Well…when we haven’t blocked ourselves from acting on it.
At the very least, if you can’t get anything out of folk, make sure everything confidential it’s operationally sensible to encrypt, is encrypted. It must make a difference, or worldwide spymasters wouldn’t be so grumpy about it.
All the usual caveats apply about this being entirely my own opinion. It does not reflect past or present employers or necessarily reflect their opinions. I also want to point out that I am not a data protection or data law specialist (although having an excellent understanding of both has been vital to my work during my 14 year career). I have however spent considerable time checking facts for this article. If anyone spots inaccuracies, please don’t hesitate to get in touch.