We are excited to share that we are set to begin a new chapter with Dropbox, Inc. Dropbox is acquiring our IP technology to embed natively into the Dropbox product, bringing end-to-end, zero-knowledge encryption to millions of business customers around the world. Check out our blog to find out more!

Learn more
Boxcryptor IT Security Blog

Safe Harbor? Currently under Construction

Since yesterday the term safe harbor gained new relevance. The agreement from over 15 years ago made it possible to store personal data on American servers, although it is actually prohibited under the EU data protection directive.

How did that happen?

The European Commission offered companies a chance to store personal data legally in the US. Requirements are, though, that the EU Commission acknowledges the privacy policies in the third country as appropriate. US companies have to agree to special data privacy regulations, to become a “Safe Harbor” for European data. As of today, more than 4.000 US companies are on the safe harbor list – among them global players, such as Dropbox, Google, or Microsoft.

Safe Harbor – not enough for the European Court of Justice

Since yesterday, safe harbor may be a chapter in history. The European Court of Justice announced a decision in the case of Austrian Max Schrems against the Irish Data Protection Authority. The judges ruled the safe harbor agreement as invalid. The agreement would not protect personal data of European customers from authorities accessing the data. The exchange of data between US companies and authorities, such as the NSA, violate the rights of customers, whose data is being handled.

What does that mean for Dropbox, or OneDrive users?

For private users, this will not have significant consequences. They can decide where to store their data and they agree to the terms of use of the providers. For companies, the consequences are more severe. Lists of customers on Dropbox, or personnel files at OneDrive: Those fall under personal data that is affected by yesterday’s verdict. The EU and the US already started to negotiate a new agreement, which complies with European data privacy regulations. But this could take a while.

To be on the safe side, companies would need the permission of all affected persons, to store their data in the US. This could prove difficult and complicated, and could destroy the trust in the company. Imagine your boss would hand you a form to fill out, where you agree that your social security number is stored in the US. This does not support the image of a responsible and trustworthy employer.

Alternatives to safe harbor

  • Standard EU clauses in contracts: The EU Commission determined those for the transfer of personal data in third countries, to ensure appropriate data protection.
  • Binding corporate rules: International companies, such as Dropbox, could introduce companywide binding rules for data privacy.

Companies are not keen to do that, because they would have to bow to European data privacy.

Encryption as a solution

To avoid this dilemma companies could consequently encrypt all personal data, before storing it at American providers. According to several law specialists, encrypted data does not count as personal data anymore. However, it is important to use end-to-end-encryption with zero knowledge standard. Nobody but the user can decrypt the data. Dropbox, for example, offers some kind of encryption, too. But they also hold the keys to decrypt them, if they feel like it.

Why is this not safe enough?

The person who holds the keys to decrypt, can access the data. In this case, your data would be protected by hackers. But if Dropbox faces a request of American authorities to hand over the data, they could do so, because they are able to decrypt it.

Zero knowledge providers, such as Boxcryptor, do not hold the private keys to decrypt the data. Therefore, companies can be sure, not to break the EU law by storing data abroad – as long as it is encrypted with zero knowledge standard. When using Boxcryptor, you show your customers and employees that you stay in control of the personal data, they entrust you with.

Share this article

Related Articles

graphics

Our New Chapter with Dropbox: What Boxcryptor Users Need to Know

Last week we already announced that we sold important technology assets to Dropbox. What our customers need to know now, we explain in detail here.

graphics

A letter from our Founders: We’re joining Dropbox!

Almost 12 years ago, we set out to make complex security solutions easy to use. Now we are excited to share that we are set to begin a new chapter with Dropbox, Inc.

Dummies Book Cover and Back

CLOSED We Celebrate Our Book Release: Your Chance to Win

We have published our first book to get even more people excited about the cloud and data security. Celebrating the official launch, you can win printes copies and Boxcryptor licenses in our raffle. Read about the details in our blog post.