EU Safe Harbor Ruling And The New General Data Protection Regulation
What Does It Mean For Data Governance And The Archiving Community?
Back around the turn of the millennium, the European Court of Justice, defined its “Safe Harbor” ruling to regulate how personal data was transferred and stored between companies based on different continents, mainly related to EU and US communications. Back then, the internet was in its infancy and there was not yet much talk of “Cloud Computing” or “Big Data”. Nevertheless, the EU was clearly aware of the need to understand how personal data was being shared between companies and seek to regulate this process in order to protect the sensitive data of European citizens, whether that data was in Europe or not.
More recently, Edward Snowden’s NSA revelations prompted others, such as Austrian law student, Max Schrems, to litigate on the basis that his personal data stored on Facebook was not being adequately protected after it had been moved to US-based servers. After an appeal, and some two years’ worth of legal back and forth, Schrems won his case and set a legal precedent that EU Safe Harbor legislation was now defunct and in need of serious overhauling.
With a deadline for finalisation and early-stage roll-out of January 2016, the new “General Data Protection Regulation (GDPR)” looks set to completely change the face of how EU personal data is protected. As they are still being negotiated, it’s hard at this stage to be completely clear on what the final changes will entail but here is a list of concepts to be going on with:
- The right to be forgotten or deleted – organisations may be required to delete personal data, if requested, unless the data falls under some other record keeping obligation
- The right to be notified of serious data breaches: notifications both to data protection authorities and/or individuals if their privacy is at risk
- The right of access and portability: individuals can ask what data a company holds on them and ask for access to it
- The principle of accountability: proving that the company is a legitimate data custodian, that it understands how, where or when data is stored and how it should be accessed, treated and transferred
Big changes then, but what do they mean for company email record keeping and email archiving? Some suggested questions to ask of your company, if you happen to be the one tasked with a GDPR risk assessment:
- Does my organisation store data “off-shore”? Including not just email data, but file shares, Sharepoint servers, CRM servers etc.
- More specifically, where is any data related to EU users stored? On servers based inside the EU, or elsewhere?
- How is my Cloud infrastructure configured? Does my organisation store data in EU-based data centres or US-based, or both? Can my Cloud service provider definitively tell me where my organisation’s data is stored? Does my organization have policies in place that define which user data is stored in which geographic location?
- More specifically, do I have email hosted by Microsoft Office 365? Where is that data physically located?
- Are there scenarios where it’s required that user data be shared across different continents? Either internally within the company or with other companies/institutions?
- More specifically, where do eDiscovery case-assessments take place? Outside of the country/continent that the data originated in?
- Considerations about what happens to user data in the event of an international merger or acquisition, where the new parent company becomes the legal custodian of legacy user data.
And some suggested tactics for minimizing exposure to practices that will be affected by the new ruling:
Tactic 1: Minimise the collection of sensitive user data as much as possible
Tactic 2: Host and process data locally, minimise the need to transfer it outside of the country it originated from
Tactic 3: Segment the data – store EU user data, or sensitive data, separately – or at least make sure this subset can be accessed in isolation
Tactic 4: Restrict access to only those inside the EU So what next?
A hard, fast and definitive set of regulations still seems some way off, and enforcement of non-compliance can only really begin once those regulations have been clearly defined and implemented. Nevertheless, it would be prudent for organisations to undertake a data audit based on the questions and tactics detailed earlier in this piece
Many organisations are already finding alternative ways to transfer personal data from the EU to the US, by side stepping some provisions. Although, a very recent data protection ruling in Germany suggests that one approach, making companies or individuals sign contracts that waive their rights of ownership over data, is unlikely to withstand legal scrutiny.
Major Cloud service providers are planning their strategies and deciding what steps need to be taken to resolve this issue. Microsoft were the first to act upon the latest ruling, with CEO, Satya Nadella, announcing at Microsoft ‘Future Decoded’ that they will be expanding their data coverage by opening a UK datacenter in 2016. The announcement means Microsoft’s public cloud service, Azure, will be supported by 21 datacenter worldwide, though the UK’s datacenter will only be the third in Europe (alongside Ireland and Netherlands).
Clearly not every implication raised in this piece is relevant for companies using email archiving, or considering an email archive migration. However, with experience of over 1100 customer migration projects behind it, Transvault is rather uniquely placed to understand how email data protection issues might arise, and crucially, how to mitigate against them with proper email data governance and water-tight migration practices.