Say goodbye to Safe Harbor and hello to EU-US Privacy Shield -- a new set of rules that governs how data can be transferred from Europe to the United States. Privacy Shield (dubbed Safe Harbor 2.0 by some pundits) is particularly important for IT service providers, VARs, MSPs and cloud providers that manage European customer data.
Updated Feb. 3, 4:00 p.m. ET: EU-US Privacy Shield Faces Critics, Questions, Concerns
The original Safe Harbor agreement ended in 2015. That agreement allowed cloud service providers (Amazon, Google, Microsoft, IBM, etc.) and other companies to move data between locations as long as there was an adequate level of protection and security in place. But concerns about potential Safe Harbor shortcomings spiked as European countries learned about the U.S. spying system (also known as the NSA).
What Is EU-US Privacy Shield?
U.S. and European officials spent recent months negotiating a new data protection agreement. It arrived yesterday, with the name EU-US Privacy Shield. Proponents say the new agreement will allow citizens to take legal actions against companies that misuse their data. It also includes annual procedural reviews -- to ensure Privacy Shield remains flexible enough to evolve amid this shifting IT landscape (cloud, mobile, social, big data, IoT, etc.).
According to the Washington Post, Privacy Shield offers "several assurances" from the U.S. side, including:
- Access to Europeans' data by law enforcement and national security agencies would be subject to "clear limitations, safeguards and oversight mechanisms."
- U.S. companies would have to agree to a set of standards on how personal data is processed, while guaranteeing individual rights. The Department of Commerce will ensure the companies post those promises publicly, which makes them enforceable under U.S. law by the Federal Trade Commission.
- Europeans will have new ways to address about how their data has been handled by companies. If they lodge a complaint, the companies will have a deadline to respond. E.U. citizens can go through their local data protection authorities to complain to the FTC. The pact also sets up a no-cost "Alternative Dispute resolution" process for consumers.
- The U.S. will also set up a new ombudsperson at the State Department to respond to complaints about potential access to data by the national intelligence community.
Still, critics in Europe allege that Privacy Shield isn't strong enough -- and some of those critics worry about the next U.S. President potentially undermining the effort to balance privacy and data sharing.
Also of note: Privacy Shield isn't an official policy just yet. The European Union's 28 member states still need to finalize the deal, according to The Washington Post. And plenty of legal challenges could pop up along the way, the paper says.
EU-US Privacy Shield: Tips for VARs, MSPs, Channel Partners
Privacy Shield's potential emergence arrives at a critical time for IT service providers -- many of which are expanding across international borders or trying to leverage data centers in multiple countries.
Channel partners working with cloud services providers and data center providers should double-check each company's:
- Physical data center and storage locations.
- Adherence to certain compliance regulations (examples: HIPAA, ISO, SSAE, etc.), while double-checking country-specific regulations.
- Policies for responding to court subpoenas and turing over customer/partner data.
- Encryption standards -- including who holds the encryption keys.
- Potential alignment with Privacy Shield.
Admittedly, most cloud service providers will need some time to study EU-US Privacy Shield -- and any forthcoming tweaks -- before they can effectively address questions from channel partners. When working with CSPs, tell your channel account manager that you'd like to hear how they are studying and/or preparing to address Privacy Shield. I suspect most CSPs won't have answers near-term. But keep asking the question. The best CSPs will develop and share the clearest answers ahead of the pack.