Data without borders may be a thing of the past. On Oct. 6, the European Court of Justice declared the Safe Harbor structure to be invalid. Since its establishment in 2000, Safe Harbor has provided a simple, legal mechanism to transfer Personal Data outside of Europe to data centers located in the United States. Safe Harbor, as we've known it, is gone forever, and European regulators have indicated that they plan to begin strict enforcement of this at the end of January.
This news is leaving many American companies reeling. It has magnified how the United States and Europe are headed in the opposite direction when it comes to protecting and sharing data across country borders. Simply put, the U.S. and Europe have different cultural and political values when it comes to privacy protection.
While there is a scramble within political bodies to find a solution for this and to establish new regulation, it is highly unlikely that a Safe Harbor replacement will be created before the January deadline. Perhaps the deadline will be extended but given the definitive nature of the ruling, it seems unwise to count on that. If you are putting faith in the politicians to fix this problem and make it go away, think again. If you need further convincing, read the English translation of what German privacy officials are saying.
Some companies are looking at an alternative structure called Model Clauses to replace Safe Harbor. This structure is cumbersome at best, and in the long-term Model Clauses may be overturned by a future European court ruling as they do not address the fundamental differences in privacy policy between Europe and the U.S.
Unlike Safe Harbor, Model Clauses are a contract between organizations that have access to Personal Data. The challenge is that these clauses require agreement by all parties involved -- the company providing the service, the recipient of the service and all subcontractors that process the Personal Data. Although Model Clauses are generally standardized, they need to be individually negotiated. In some cases, Model Clauses require individual registration within the jurisdiction where the Personal Data is collected, often the home country of the relevant European citizen.
So what is the answer if your business relies on processing European Personal Data in the U.S.? For now, it's best to leave the Personal Data in Europe. If it is feasible to perform all data processing in Europe that will solve your European Personal Data problem. But duplicating your entire application stack in Europe is impractical for some companies.
The alternative is a hybrid solution. If it is preferable to perform some processing in the U.S., your best option is to create a mapping within your European data center between the Personal Data and a unique ID. As long as that unique ID is anonymized and does not contain any descriptive information about the user, it can be sent safely over to the U.S. If further actions that require Personal Data need to be performed (for example, sending an email to the user), the ID's must be sent back to Europe and those steps must be performed on European soil.
While an anonymized ID can be safely sent to the U.S., descriptive information about that ID may render it identifiable and as such, it would be considered Personal Data under European law. These rules vary by European country so, for example, associating an ID with gender, location and age would be considered identifiable by French law and thus this information cannot be sent to the U.S. While the approach of sending only anonymized IDs to the U.S. is generally safe, the details are important so you need to validate your solution with legal council experienced in European privacy law.
Of course, keeping Personal Data outside the U.S. means establishing some form of data center footprint within Europe. Fortunately, this is much easier because of the prevalence of cloud services. And while the approach of leaving Personal Data within Europe adds complexity to a solution, this complexity appears to be more manageable than the legal quagmire of Safe Harbor alternatives.
There is a reasonable argument that storing data within a sovereign nation is no longer a sound basis for privacy protection. In today's connected world, every time a European citizen travels abroad, their Personal Data moves with them and thus is potentially vulnerable. The only long-term solution to this problem is the pervasive use of strong data encryption to protect data. Ultimately, thoughtful, encryption-based privacy laws can replace today's antiquated policies which rely on the location of data storage.
However, the reality is that government policy moves much slower than technology, and it will be quite some time before these laws are updated to reflect the reality of today's world. Until then, the only thing we can do is abide by the laws of individual countries. For now, the only truly safe harbor for European Personal Data is to leave that data in Europe.