zhu difeng - Fotolia
The EU and U.S. Safe Harbor agreement to streamline processes for how data moves across the Atlantic was struck down by the European Court of Human Justice. This makes things interesting for international data centers that carry out business on both sides.
Although the Safe Harbor policy agreement enabled organizations to opt in to an overall umbrella to cover data movement, we actually need a full set of company-to-company and company-to-person agreements around how data is stored, moved and handled.
This kind of comprehensive and granular planning is impossible, so it would be reasonable to expect that the respective governments will instead focus on a new Safe Harbor agreement that can replace the one the European Court of Human Justice decided was invalid. Reasonable? Yes. Probable? Very unlikely.
It became generally recognized that the Safe Harbor agreement was unfit for purpose, and the U.S. and the EU have been arguing about a replacement for over three years -- and don't seem any closer to a new deal. The old agreement has, in essence, been torn up and does not seem to have concentrated efforts on the overarching theme of international data protection for multinational businesses.
Safe Harbor's failure will have a minimal effect at the high level. The groups responsible for dealing with organizations that do not follow data security and management procedures are the same ones that can't reach agreement on a new Safe Harbor. Organizations compliant to the requirements of the old Safe Harbor are unlikely to be taken to court, as the countries that drew up the EU Directive 95/46/EC on the protection of personal data agreed that Safe Harbor was compatible with the directive. If an international data protection trial does arise, pointing out that your organization is compliant with current laws in place should be a clincher.
The bigger issue is who can get at what data where and through what means. Enterprise IT teams are obligated to protect corporate data, and with global customer bases as well as international data centers, data movement and storage have legal implications.
Regulation and law
The Patriot Act sent ripples of worry through non-U.S. countries that the U.S. government could gain access to any information it saw fit. The Patriot Act did have a reasonable amount of oversight built in, and would be an unlikely tool for a standard case of uncovering commercial data. The U.S., however, also had the Federal Information Security Management Act, which could be used more broadly at the government's will.
Both of these potential data security threats, however, were trumped in a federal case involving Microsoft's data that is stored internationally in a data center in Ireland. Microsoft insists that data privacy laws of Ireland protect it from warrants. The federal magistrate argued that, just as with any piece of paper, the location of a piece of information is immaterial. If data is in the ownership of a company, then a warrant of disclosure can be served, and the company must turn it over. Microsoft has appealed the case and is protecting future data by hosting its cloud services in Germany.
The data that Microsoft is being asked to hand over is not really its property. It is a set of email messages sent by others and stored on Microsoft's servers. The legal approach is that the data on the servers is also the property of the company that owns the servers.
See the problem here? You may think that your corporation doesn't operate international data centers, but what about the IT workloads and storage that you outsource to the cloud? When using any public cloud service, if the owner of that service is headquartered in the U.S., then any and all data that you have created and stored on its platform is accessible through legal means by the U.S. government -- even without your knowledge. The cloud service provider might simply hand data over under a simple disclosure warrant -- and keep quiet about it.
The future for international data protection
What if the U.S. government decides to take things a bit further and apply the same rules to any servers owned by a company based in the U.S., no matter where those facilities are located? This would affect colocation providers and their customers. Even private data centers would not be sacrosanct; if any entities involved -- a company that owns a company or holds a majority stake in it -- is headquartered in the U.S., a disclosure warrant could force operators of international data centers to hand over data.
What can be done about this? If you believe there is a risk with the U.S. government accessing and using your corporate data, carry out due diligence on all the services used for IT. Is your preferred service provider headquartered in the U.S. or owned by an entity that is? Does it have data centers that are regionalized so that your data lives within your own region? Are these data centers set up in such a way as to deter U.S. company ownership? For example, is the data center in Germany set up as a GmbH -- a company with limited liability -- and have a minority holding by any U.S. "Inc." or "Corp."?
If you must use a provider headquartered in the U.S., either with only data centers based in the U.S. or wholly owned regional data centers, ask about the provider's approach to how they would deal with a disclosure warrant. Do the company's leaders see data stored in their facilities as yours, and refuse to hand it over at all; do they see the data as yours, advise your company when a warrant is served and that the data will need to be handed over; or do they just acquiesce quickly and quietly to disclosure warrants?
Ask providers how they handle encrypted data. Will they hand it over in encrypted form only, saying that it is the only form in which they 'own' the data, or will they decrypt it so that it is in the clear for the authorities to look at?
Take steps to Safe Harbor
Whether you have your own private data center, are based in a colocation facility or are using as a service offerings, it is time to review your data security strategy. Encrypt sensitive data; secure personally identifiable information; and align your data center and IT strategies with what is likely to happen at a local, regional and global level around data laws. For example, you may want to track the proposed data regulations in the EU 95/46/EC Directive.
Work on the premise that you can never trust any platform, company or politician when it comes to international data protection. No matter where on the planet your corporate data resides, ensure that it adheres to security best practices via encryption, data leak prevention and digital rights management. If possible, put data in outsourced facilities on storage systems that your company owns. Audit data movement and access. Then, let the authorities worry about what legal tools they would need to get greater access to the data itself.
Points to know when building a data center abroad
Considerations to choose a good outsourcing partner
Some IT workloads can't leave home
Five ways to secure your data