This is the second in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
Why were the Safe Harbor principles created in the first place? To maintain trade between Europe and the United States, with Europe fully aware of the lax attempts at data privacy performed on the part of the U.S.'s biggest companies.
Why Europe needed Safe Harbor principles
The vast majority of people using services on the web -- be it web-based email like Hotmail or Yahoo!, social networks like Facebook and Twitter, or anything as minute as a website requiring registration-- tend not to think about where their personal data like photos and email is stored.
On the whole, these services are designed to save us time and energy, and we have come to want the offerings of these services on-demand, without thinking too much about privacy. We expect our respective governments, wherever we are in the world, to protect us to a level where we can act and communicate freely.
However, an inequality in legal protection between the United States and the European Union could have massive consequences for users of 'the cloud'.
Data protection legislation differs greatly between the European Union and the United States. With a vast number of organisations branching out to worldwide offices during the dot-com boom, it was clear to legislators that data transfer and protection laws needed a global overhaul. A particular area of focus for data legislation was the European Union, with dozens of countries sharing elements of the same law.
The EU ratified the "Data Protection Directive" in 1995, which mandated that all current and future EEA member states incorporate agreed-by-consensus rules into their own respective laws by the end of 1998. In the United Kingdom, for example, the Data Protection Act 1984 already existed but was amended to accommodate the new provisions of the EU directive. The renewed law became the present incarnation of the Data Protection Act 1998.
The core principles of the directive took into account data usage transparency and the legitimate use of data, seeking to ensure that only the required personal data was collected by companies. But these principles also allow for data only to be processed if a series of conditions are met to ensure the data is stored securely and safely, and if the person owning the data belongs to or relates to accept that these terms are met.
As the EU directive affects the individual laws of each EEA member state, the directive is enforced by a local authority of each country. In the United Kingdom, for example, the Information Commissioner's Office enforces the local data protection law, and therefore the wider EU directive.
This directive passed successfully in 1995 and was subsequently written into the law of each respective nation. Despite being outside the European zone, the United States was, however, a major player in global industry, but failed to accept the same principles agreed upon by the EEA member states.
So, to ensure safe passage of data from Europe to the United States, both the EU and the U.S., spearheaded by the U.S. Department of Commerce (though the USA PATRIOT Act is not), worked together to create a common 'Safe Harbor' framework which was subsequently approved, after much deliberation, by the EU in 2000.
The Safe Harbor principles were agreed to on the basis that, even though U.S. law would not change, the private companies who signed up to the Safe Harbor list would adhere to the rules set out by the EU. These rules include, but are not exclusive to, the EU enabling access for private organisations in the US to an individual's data upon request, and assurances that data security is effective enough to guarantee data protection.
It is important to note that Safe Harbor is not regulated by the U.S. government. Although the Federal Trade Commission (FTC) manages the system under the oversight of the U.S. Department of Commerce, the Safe Harbor programme is self-regulated in the private sector. However, enforcement can be backed up by federal or state government if a company screws up.
By ensuring that the Safe Harbor principles satisfy the European Commission, trade between the US and Europe can continue.
Companies -- whether headquartered elsewhere or simply a subsidiary company of a larger corporation (Google UK, a subsidiary of Google Inc., for example) -- are not allowed to send personal data to anyone outside the EEA unless there is a guarantee from the recipient government that it will receive 'adequate' protection. Since the Safe Harbor principles were agreed by the European Commission (the governing body of the EEA and the EU), the U.S. is now seen to offer adequate data protection by European regulators.
EEA companies like Google and Microsoft that need to pass data to companies in the U.S. securely, provided the US-based head office or branch office is on the Safe Harbor list, will do so. Subsidiary companies, usually the same company but owned by a parent company in a different location, region or state, are also covered by Safe Harbor -- provided the parent company is on the list.
If Google or Microsoft is covered under Safe Harbor, then so is Google UK and Microsoft UK, for example. This allows organisations with localised offices to share data back and forth to the US headquarters from Europe without too much trouble.
Time to rethink outsourcing to the borderless cloud?
The Safe Harbor principles set up by the U.S. Department of Commerce to comply with the EU-prescribed 'Data Protection Directive' allows personal data sent from an organisation, subsidiary company or government in the EEA to the United States.
Yet, once the data reaches the United States, the data automatically becomes vulnerable to the USA PATRIOT Act, which can be invoked with or without a court order depending on the requirement for the data.
The U.S. Safe Harbor framework does not protect any personal data from the USA PATRIOT Act until a U.S. court declares otherwise.
Regardless of where a company's office is outside the United States, like Google UK or Microsoft UK, if the company that owns that subsidiary company are wholly owned by a US company, the USA PATRIOT Act can be invoked.
If a wholly owned, U.S.-based company only provided cloud storage or services to U.S. citizens residing within the United States, the customers and company would be wholly under U.S. law. The USA PATRIOT Act can therefore be invoked.
On the other hand, take the same scenario across the Atlantic. This time, take a wholly owned, UK-based company which provides cloud storage or services to only UK citizens residing within the United Kingdom. The customers and the company is wholly under UK law, which in some cases is shared by other EU countries under European directives. The USA PATRIOT Act has no reach, though the UK and Canada do enact similar counter-terrorism laws.
But as a European citizen who uses Gmail provided by U.S.-based Google, you are liable to the laws of a foreign government. Your data, therefore, is subject to a U.S. inspection.
Users of the cloud should be aware of foreign legalities, such as the location of cloud datacenters and where the registered offices of the subsidiary companies are, as well as their head offices. Subsidiary companies can be forced by their U.S. parent organisations into following the laws of a country they are not even in.
EU enterprise clients, including schools and universities, should be extremely careful of localised companies who cannot guarantee in writing that data will not be at risk from laws foreign to their own country.
Read more: A case study detailing how the USA PATRIOT Act can be invoked to access data held in Europe (and further afield), with or without the consent of the data controller. Read more.