Safe Harbor: Why EU data needs 'protecting' from US law

Safe Harbor: Why EU data needs 'protecting' from US law

Summary: ZDNet's USA PATRIOT Act series: An overview of the Safe Harbour principles, which allows data to flow freely between Europe and the US; but not without caution.


This is the second in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.

Why were the Safe Harbor principles created in the first place? To maintain trade between Europe and the United States, with Europe fully aware of the lax attempts at data privacy performed on the part of the U.S.'s biggest companies.

Why Europe needed Safe Harbor principles

The vast majority of people using services on the web -- be it web-based email like Hotmail or Yahoo!, social networks like Facebook and Twitter, or anything as minute as a website requiring registration-- tend not to think about where their personal data like photos and email is stored.

On the whole, these services are designed to save us time and energy, and we have come to want the offerings of these services on-demand, without thinking too much about privacy. We expect our respective governments, wherever we are in the world, to protect us to a level where we can act and communicate freely.

However, an inequality in legal protection between the United States and the European Union could have massive consequences for users of 'the cloud'.

Data protection legislation differs greatly between the European Union and the United States. With a vast number of organisations branching out to worldwide offices during the dot-com boom, it was clear to legislators that data transfer and protection laws needed a global overhaul. A particular area of focus for data legislation was the European Union, with dozens of countries sharing elements of the same law.

Member states of the European Economic Area (EEA), a community of European countries, acknowledge the "four freedoms" of data protection. This allows the freedom of goods and citizens across European borders and grants data to take advantage of these same privileges.

The EU ratified the "Data Protection Directive" in 1995, which mandated that all current and future EEA member states incorporate agreed-by-consensus rules into their own respective laws by the end of 1998. In the United Kingdom, for example, the Data Protection Act 1984 already existed but was amended to accommodate the new provisions of the EU directive. The renewed law became the present incarnation of the Data Protection Act 1998.

The core principles of the directive took into account data usage transparency and the legitimate use of data, seeking to ensure that only the required personal data was collected by companies. But these principles also allow for data only to be processed if a series of conditions are met to ensure the data is stored securely and safely, and if the person owning the data belongs to or relates to accept that these terms are met.

Implementing and regulating the Safe Harbour »

As the EU directive affects the individual laws of each EEA member state, the directive is enforced by a local authority of each country. In the United Kingdom, for example, the Information Commissioner's Office enforces the local data protection law, and therefore the wider EU directive.

This directive passed successfully in 1995 and was subsequently written into the law of each respective nation. Despite being outside the European zone, the United States was, however, a major player in global industry, but failed to accept the same principles agreed upon by the EEA member states.

So, to ensure safe passage of data from Europe to the United States, both the EU and the U.S., spearheaded by the U.S. Department of Commerce (though the USA PATRIOT Act is not), worked together to create a common 'Safe Harbor' framework which was subsequently approved, after much deliberation, by the EU in 2000.

The Safe Harbor principles were agreed to on the basis that, even though U.S. law would not change, the private companies who signed up to the Safe Harbor list would adhere to the rules set out by the EU. These rules include, but are not exclusive to, the EU enabling access for private organisations in the US to an individual's data upon request, and assurances that data security is effective enough to guarantee data protection.

It is important to note that Safe Harbor is not regulated by the U.S. government. Although the Federal Trade Commission (FTC) manages the system under the oversight of the U.S. Department of Commerce, the Safe Harbor programme is self-regulated in the private sector. However, enforcement can be backed up by federal or state government if a company screws up.

The FTC does take the Safe Harbor principles seriously, and in some cases has enacted sanctions against companies or organisations where breaches of the terms are discovered.

By ensuring that the Safe Harbor principles satisfy the European Commission, trade between the US and Europe can continue.

Companies -- whether headquartered elsewhere or simply a subsidiary company of a larger corporation (Google UK, a subsidiary of Google Inc., for example) -- are not allowed to send personal data to anyone outside the EEA unless there is a guarantee from the recipient government that it will receive 'adequate' protection. Since the Safe Harbor principles were agreed by the European Commission (the governing body of the EEA and the EU), the U.S. is now seen to offer adequate data protection by European regulators.

EEA companies like Google and Microsoft that need to pass data to companies in the U.S. securely, provided the US-based head office or branch office is on the Safe Harbor list, will do so. Subsidiary companies, usually the same company but owned by a parent company in a different location, region or state, are also covered by Safe Harbor -- provided the parent company is on the list.

If Google or Microsoft is covered under Safe Harbor, then so is Google UK and Microsoft UK, for example. This allows organisations with localised offices to share data back and forth to the US headquarters from Europe without too much trouble.

Time to rethink outsourcing to the borderless cloud? »

Time to rethink outsourcing to the borderless cloud?

The Safe Harbor principles set up by the U.S. Department of Commerce to comply with the EU-prescribed 'Data Protection Directive' allows personal data sent from an organisation, subsidiary company or government in the EEA to the United States.

Yet, once the data reaches the United States, the data automatically becomes vulnerable to the USA PATRIOT Act, which can be invoked with or without a court order depending on the requirement for the data.

Businesses especially should be aware of the data they put into the cloud, as the data may be liable for inspection by the US authorities under the USA PATRIOT Act. It could also implicate data controllers under EU data protection laws.

The U.S. Safe Harbor framework does not protect any personal data from the USA PATRIOT Act until a U.S. court declares otherwise.

Regardless of where a company's office is outside the United States, like Google UK or Microsoft UK, if the company that owns that subsidiary company are wholly owned by a US company, the USA PATRIOT Act can be invoked.

If a wholly owned, U.S.-based company only provided cloud storage or services to U.S. citizens residing within the United States, the customers and company would be wholly under U.S. law. The USA PATRIOT Act can therefore be invoked.

On the other hand, take the same scenario across the Atlantic. This time, take a wholly owned, UK-based company which provides cloud storage or services to only UK citizens residing within the United Kingdom. The customers and the company is wholly under UK law, which in some cases is shared by other EU countries under European directives. The USA PATRIOT Act has no reach, though the UK and Canada do enact similar counter-terrorism laws.

But as a European citizen who uses Gmail provided by U.S.-based Google, you are liable to the laws of a foreign government. Your data, therefore, is subject to a U.S. inspection.

Users of the cloud should be aware of foreign legalities, such as the location of cloud datacenters and where the registered offices of the subsidiary companies are, as well as their head offices. Subsidiary companies can be forced by their U.S. parent organisations into following the laws of a country they are not even in.

EU enterprise clients, including schools and universities, should be extremely careful of localised companies who cannot guarantee in writing that data will not be at risk from laws foreign to their own country.

Continue reading

Read more: A case study detailing how the USA PATRIOT Act can be invoked to access data held in Europe (and further afield), with or without the consent of the data controller. Read more.

Leave your comments and thoughts below.

Topics: Government US, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • simple solution

    EU should follow all the US laws when dealing with the internet.
    Linux Geek
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      @Linux Geek Considering the EU has far stronger privacy policies and data protection rights, why should we downgrade? Why shouldn't the US, as a leader on the world stage, upgrade to Europe's standards?

      The EU has over 500 million people, the US has just over 300 million -- there are more people subscribing to the EU data protection directive, so surely it'd make more sense to secure data even further and have the US on board?
      • RE: Safe Harbor: Why EU data needs 'protecting' from US law


        WHile you are right that the US has almost no privacy protections, the reality is that EU laws are all paper, no effect. Working in Italy and Germany, I saw that there were so many dodges around privacy laws it was laughable. Local companies made a little effort to comply, while multinationals routinely gamed the regulations to make them meaningless. And there are some "consultants" who make a good living at it, just like tax lawyers help US citizens dodge the IRS.

        As long as companies treat data as having value and private citizens treat as though it has none, then all the laws on the books don't help one whit.
        terry flores
      • RE: Safe Harbor: Why EU data needs 'protecting' from US law

        @zwhittaker But could both countries agree on the basic foundations of each other's rights? <a title="texas real estate attorney" href="http://kellylegalgroup">texas real estate attorney</a>
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      @Linux Geek

      You have, perhaps, some <i>logical</i> reason for saying that?
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      @Linux Geek Why would any one want to follow american law, seems like your in to the americanisation of the world, stuff that.
      We have different laws for a reason and thats not so the US can tell us to change. GET OVER YOURSELF
  • RE: Safe Harbor: Why EU data needs 'protecting' from US law

    What about the reverse scenario: what about US (or others) having their data stored in an EU data center - what does it take for any EU nation to look at that data?
    The US data protection laws are mainly concered with keeping GOVERNMENTS from looking at your data and not private companies from collecting and using it? How does that compare to the EU laws primary mission?
    • Patriot Act circumvents other laws...

      how can you say the US Data protection laws protect against governments accessing anything, when the government says 'national security', and suddenly has access to everything?

      the EU laws aim at protecting the consumers from others. Period. Not just outside governments, not just outside businesses, not just other consumers. The US protects against governments (not the US government), while EU aims to protect against all.
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      @TAPhilo If the data relates to identifiable persons then the law would apply to that data also. I know this because I have worked for a UK company with a US subsidary and on inspection by the Data registra I was told that while data resides on our servers here in the UK, that data has the same protections as that relating to EU citizens (must be used fairly, for the purposes it was collected for only, accurate etc, etc).
  • RE: Safe Harbor: Why EU data needs 'protecting' from US law

    EU governments reserve the right to do anything they like in the interests of law enforcement or any other aspect of national security - as any government has to. The responsibility for preserving the rights of citizens effectively confers the right to do whatever is necessary, including lesser evils, to safeguard those rights for the population as a whole. To argue otherwise is to undermine the effectiveness of those rights.
    And that is why democracy and freedom to publish the misdeeds of government are logical necessities too.
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      @PassingWind EU governments cannot do "anything they like" in the interests of law enforcement - not even for "national security". To take one obvious example, a government which uses torture has broken the law, and is subject to sanctions if that breach is proved.

      In the UK, we have anti-discrimination laws. If the government decided that all Muslims had to be in their homes from 9pm to 7.30am, "in the interests of preventing terrorism," then they would similarly be breaking the law, and could be ordered to stop.

      Could the US government declare that "in the interests of law enforcement" it required all private citizens to hand in any firearms they owned to the nearest police station inside 48 hours? It would, of course, be safeguarding the freedom not to get shot at for the rest of the population.
  • @PassingWind

    Just to correct a misunderstanding ...

    One of the basic principles of the original EU privacy agreement is that all countries must have judicial oversight before violating privacy. Which is why the UK was forced to revise its wiretap laws and data search and seizure laws (as mentioned previously) in order to enhance the oversight. All EU governments have as a minimum a level of judicial and legislative oversight for their wiretap and data seizure laws.

    While the UK, Canada and many other governments have enacted national security laws they all require observance of the judicial oversight. In fact, the EU governments have NOT reserved the right to do anything they like -- for any reason. As in any government by the rule of law the government must obey it's own laws. Those include numerous laws restricting their rights. The Magna Carta being one of the most famous examples.

    This is the main difference -- The Patriot Act does not require a court order to seize data or otherwise deprive others of a basic right.

    As for governments having the right to do whatever is necessary to preserve the rights of its citizens ... I leave you with the words of three of those who wrote your own constitution.

    President Thomas Jefferson said, "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one."

    And Benjamin Franklin said, "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

    And finally, President James Madison said "There are more instances of the abridgement of the freedom of the people by the gradual and silent encroachment of those in power, than by violent and sudden usurpation."
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law

      and we have only to look at the Arab nations - this generation once described as the least politicised - where people have got fed up with "stability" and decided "freedom" is more important.
      It's interesting that most democracies spend their time getting richer, not invading other countries. Democracy should be supported and encouraged.
  • RE: Safe Harbor: Why EU data needs 'protecting' from US law

    Australia's compliance to USA's copyright laws meant much damage to our English-colonial legal structures, to our financial & legal costs & for USA's benefits.
    USA's wars on "terrorism" (Australia's David Hicks, and now our Wikileaks spokesman) is discrediting the most hated nation on the planet. Our nominee for the Nobel Peace prize (2011, 2012) must stay hidden in Europe, preferablly Sweden - sometimes.
    As many have commented, laws & regulations have little to do with reality. USA's manipulation of Google (Gmail), Paypal & most banking systems on this planet, most national & international government agencies, ... - is seemingly unending.
    Personally, I'm hoping that the financial supporters of the USA (Japan, China, ... ) would withdraw their investments in Darth Vader, and give to the much more advanced & truly free world.
    As the aspiring next president (Donald Trump) of Darth Vader is saying, a black man not born on mainland USA is not worthy of USA work.
    • RE: Safe Harbor: Why EU data needs 'protecting' from US law


      Donald Trump never said that, your entire comment is filled with typical anti American hate, lies, and misrepresentations.

      It's people like you who are the true threat to all freedoms everywhere, the political liars, and propagandists, you cloak hate speech in a cover of perceived intelligent commentary; spreading lies by saying things that do nothing more than SOUND GOOD, but only to those who deep inside want to believe your garbage in the first place.
      Spoiled Pork