Safe Harbor? Currently under Construction
Since yesterday the term safe harbor gained new relevance. The agreement from over 15 years ago made it possible to store personal data on American servers, although it is actually prohibited under the EU data protection directive.
How did that happen?
The European Commission offered companies a chance to store personal data legally in the US. Requirements are, though, that the EU Commission acknowledges the privacy policies in the third country as appropriate. US companies have to agree to special data privacy regulations, to become a “Safe Harbor” for European data. As of today, more than 4.000 US companies are on the safe harbor list – among them global players, such as Dropbox, Google, or Microsoft.
Safe Harbor – not enough for the European Court of Justice
Since yesterday, safe harbor may be a chapter in history. The European Court of Justice announced a decision in the case of Austrian Max Schrems against the Irish Data Protection Authority. The judges ruled the safe harbor agreement as invalid. The agreement would not protect personal data of European customers from authorities accessing the data. The exchange of data between US companies and authorities, such as the NSA, violate the rights of customers, whose data is being handled.
What does that mean for Dropbox, or OneDrive users?
For private users, this will not have significant consequences. They can decide where to store their data and they agree to the terms of use of the providers. For companies, the consequences are more severe. Lists of customers on Dropbox, or personnel files at OneDrive: Those fall under personal data that is affected by yesterday’s verdict. The EU and the US already started to negotiate a new agreement, which complies with European data privacy regulations. But this could take a while.
To be on the safe side, companies would need the permission of all affected persons, to store their data in the US. This could prove difficult and complicated, and could destroy the trust in the company. Imagine your boss would hand you a form to fill out, where you agree that your social security number is stored in the US. This does not support the image of a responsible and trustworthy employer.
Alternatives to safe harbor
- Standard EU clauses in contracts: The EU Commission determined those for the transfer of personal data in third countries, to ensure appropriate data protection.
- Binding corporate rules: International companies, such as Dropbox, could introduce companywide binding rules for data privacy.
Companies are not keen to do that, because they would have to bow to European data privacy.
Encryption as a solution
To avoid this dilemma companies could consequently encrypt all personal data, before storing it at American providers. According to several law specialists, encrypted data does not count as personal data anymore. However, it is important to use end-to-end-encryption with zero knowledge standard. Nobody but the user can decrypt the data. Dropbox, for example, offers some kind of encryption, too. But they also hold the keys to decrypt them, if they feel like it.
Why is this not safe enough?
The person who holds the keys to decrypt, can access the data. In this case, your data would be protected by hackers. But if Dropbox faces a request of American authorities to hand over the data, they could do so, because they are able to decrypt it.
Zero knowledge providers, such as Boxcryptor, do not hold the private keys to decrypt the data. Therefore, companies can be sure, not to break the EU law by storing data abroad – as long as it is encrypted with zero knowledge standard. When using Boxcryptor, you show your customers and employees that you stay in control of the personal data, they entrust you with.