If you have an even passing interest in privacy you’ll probably be aware that “Safe Harbor” is dead.
Safe Harbor (sic) was, essentially, an agreement that allowed for the transfer of personal data from the EU to the US safely. Essentially US companies agreed that they’d apply the same standards of privacy (and security) to the handling of personal data from the EU in the US, as that data would have received within the EU. (And yes, that’s simplifying things quite a bit.. )
What went wrong?
Well, as we all know, a lot of governments like to know everything that we’re all doing all the time so they’d all been snooping. The revelations from Snowden (and others) made it pretty clear that the US government (and others) had little or no respect for citizens’ privacy. While law enforcement agencies and others may need to access data there needs to be a proper process in place for that and simply collecting EVERYTHING is not acceptable.
Against that back drop it was going to be rather hard to suggest that data would be treated and respected properly once it left the EU.
The entire collapse of Safe Harbor has been covered extensively in the media on both sides of the Atlantic, so I won’t even try to recap it all.
Why should we care?
International trade is important. Businesses need to be able to operate in an international environment and in order to do that data needs to be able to flow across national boundaries.
For example we need to be able to transfer domain registration data to the various domain name registries around the globe, including escrowing registration data with Iron Mountain.
What have we been doing?
As a company we’ve always tried our best to be a good corporate citizen and to respect Irish and EU law.
At times that’s made it hard for us to conduct business, as we couldn’t, for example, sign the new contract with ICANN until we were sure that we’d be able to get a data retention waiver.
When we speak to various vendors we always stipulate that any data that isn’t going to be physically stored on our servers in Ireland would be stored either in Ireland or in another country within the EU.
We, and other European registrars, have asked ICANN to put EU based data escrow providers on an equal footing with Iron Mountain. To date that has not happened and Iron Mountain has tried to rely on a contractual amendment to cater to European concerns.
What can we do?
Late last year the Internet Infrastructure Coalition organised a “fly in” for members, which basically meant that I spent a couple of days on Capitol Hill with other actors in the infrastructure space talking to US politicians and their staff and trying to persuade them of the importance of addressing this and other issues.
We also wrote to several of politicians and influencers to highlight the importance of finding a solution to this issue.
What should happen?
Ideally the EU and the US should reach some kind of agreement that is acceptable to Article 29 and others.
Has there been any progress?
Earlier today the EU announced that they’d reached agreement with the US on a new regime, which they’re calling “the EU-US Privacy Shield”
While the EU is hailing the new agreement as a solution it has yet to receive any approval from Article 29 or others. As The Guardian notes in their coverage of the accord this evening it’s open to challenge.
We’ll be watching how things pan out with this new agreement, but like others, until we hear otherwise we aren’t going to assume that the new EU-US Privacy Shield is the “silver bullet” we’ve been waiting for.