EU to US: Stop storing our data on your servers (or else)
This is international relations at its best, ladies and gentlemen. And the clusterfrak that is Europe may be about to land on the heads of American and European IT managers with a great big splat.
The subject at hand is data sovereignty, which basically describes which country holds your data. Since many of our biggest Internet companies are American, for the past bunch of years, Europeans using services generously provided by those companies have often found their data stored on computers located outside of the EU.
This seems to have caused quite a spot of bother among some EU citizens who took the whole NSA/Snowden thing with substantially less of a sense of humor than the rest of us. Apparently, some of these folks don't like the idea of having their data on American servers because then the nasty NSA folks could go pawing through their digital detritus, stealing information about their odd little habits, corporate trade secrets, and favorite dinner condiments.
Don't get me wrong. Privacy is a critically important issue. Regardless of the level of treasonous behavior by Russia-runner Edward Snowden, the idea that the American government (or any government, for that matter) might regularly look at personal information (or even metadata) should be of concern to all citizens, counterterrorism efforts notwithstanding.
The EU-niks, on the other hand, have decided to overreact, and in a big way. This week, the European Court of Justice overturned the long-standing US-EU Safe Harbor agreements.
There's a ton of legal complexity and diplo-speak in what makes up the Safe Harbor deal, but it essentially allows American companies to store information belonging to Europeans on servers located in the United States.
What the European Court of Justice did this week is nuke that. They now claim that the Safe Harbor framework is invalid, which would -- and here's where it gets completely fuzzy -- seem to imply that American companies are not allowed to store European's data within the United States.
This is fuzzy because this is a diplomatic problem and if there is any one class of professional that makes a profession out of being unclear, unspecific, and non-committal, it's diplomats. For example, if you visit the U.S. Department of Commerce's Safe Harbor page, you'll see a very short statement acknowledging the ruling of "invalid" (Department of Commerce's quotes) and stating, "In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program."
In other words, situational normal, all fraked up. The DoC has no idea whether or not things will change, but it's rapidly changing, and, well, let's not do anything rash, shall we?
I know. Special, right?
When most of us think about the issue of data sovereignty, we think about things like whether Microsoft has to share the contents of Office 365 accounts belonging to EU citizens with the U.S. government, or whether or not Facebook or Google has to turn over access to some of their data based on a court order.
In other words, most of us think that this is someone else's problem.
Here's how this becomes a problem for you. Data is data. I'll give you a very tiny example. Let's say you run a Web site running on a server located here in the United States that runs a small e-commerce shop that sells some software products or services. You have customers all over the world, including some in Europe.
Based on the new unsafe harbor ruling, you're in violation of European law. That login and account information needs to be moved to a server located in Europe. Can you imagine the hassle this would be if it were enforceable, and we now needed to segment our user databases and all our other information so that we could dump data on a server located in each major country or region?
This is the issue facing IT managers. Right now, as the Department of Commerce has shown, there's no determination about what y'all are supposed to do. But because the Safe Harbor provisions are now null and void, the door is open for international lawsuits targeting your organizations, just because you happen to run a database hosted in the land of the free and the home of the brave.
Into this mess there are some odd loopholes. The biggest is Amazon.
Apparently Amazon has decided to ignore the diplomats and the country-level negotiations and create its own Jeff Bezos Department of State and All Things AWS. In fact, it looks like Amazon has jumped way ahead of the line and negotiated their own AWS-specific Safe Harbor clauses, "because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe."
So, if you happen to be using AWS, you're probably not going to get hit with whatever non-specific world of hurt the EU has in mind for American IT companies. As it turns out, I run my Web site on AWS, so I (and the very little bits of login data from Europeans I manage) seem to be safe from this ruling.
Maybe we should be looking at Jeff Bezos for billionaire-in-chief instead of Donald Trump.
Where does this leave us?
Since I don't have a good answer for you, I'll tell you a story. Starting in the late 1990s, I ran some of the first online magazines for technology. We offered free content: news, tutorials, reviews, and the like.
One day, I got an email from a lawyer in France informing me that if I didn't translate my sites into French, my tiny company would be subject to all sorts of penalties due to France's supposed requirement that a certain percentage of all content be provided in the native language.
I took one look at my server logs, noted that a very, very small percentage of my readers at the time used French as a primary language, and blocked them. I also blocked that lawyer's IP address and the address block in his region.
I reasoned that my company had no revenue coming from the country, didn't have an army of lawyers to deal with language-related claims, and it was just easier to comply with whatever law there might be by not having it be a problem. As far as I know, those blocks remained in existence until I moved my servers. Problem solved.
Obviously I don't recommend you go off blocking anyone from the EU from accessing your systems. That said, this kind of unilateral decision on the part of a foreign "power" like the EU may well result in all sorts of counter-productive actions on the part of companies inadvertently caught in the crossfire.
Given that even the Department of Commerce doesn't know where to go with this and is operating as business as usually, there's probably no action you need to take now. That said, this situation is likely to get messier rather than better, so it's a situation you and your management need to keep in mind.
From an architectural point of view, as you start designing new systems, also keep in mind that there might be a more potent data sovereignty requirement than in times past, and while I wouldn't advise extra investment in this area, I would certainly recommend you factor account segmentation into your plans as you move forward.
Who knows? With all the chaos in Europe, the EU may not last long enough for the lawyers and diplomats to figure out the implications of this latest bit of NSA over-reaction. Chalk up another cost, another pain, and another hassle resulting from Snowden's theft of government secrets and the eagerness of some media outlets to ride the traffic wave regardless of the implications or damage.
If you want an exceptional backgrounder on the international implications of this mess, read our own Zack Whittaker's excellent work on the issue of European and US privacy. It's fascinating (and disturbing) reading.
14 privacy tools you should use to stay secure
By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.