You may have missed this earth-shaking event. Hopefully your corporate lawyers didn't miss it: the US Safe Harbor Program no longer protects EU citizens' data when that data is transferred to systems that are potentially subject to US goverment surveillance.

What does this mean for your company? If you are a U.S.-based company, you'll want to move all of your European customers' data to customer clouds that are physically resident in the territories in which those customers live and work before the end of January 2016.  If your European customers' data is sitting in a data center or a cloud that is not physically located within the EU, you may be liable for failure to protect the basic human right to privacy, which is guaranteed in the Charter of Fundamental Rights of the European Union.

US Safe Harbor Program No Longer Protects European-US Data Transfers

On October 6, 2015, the European Court of Justice ruled that the Safe Harbor program does not adequately protect the human right to privacy of European citizens because it cannot guarantee them that they won't be subject to surveillance by US government agencies.

Max Schrems (left) walks out of the European Court of Justice with his lawyer, Herwig Hoffman right after the ruling. Photo by Geert Vanden Wijngaert/AP.

The best analysis we've found on the impact of this ruling on information technology policy for US companies comes from our long-time colleague, Donald Callahan, of Duquesne Advisory Services in France. In his excellent, thorough, and easy to understand article, Collapse of Safe Harbor: What Happens Next?, Donald explains the intracacies of the Max Schrems vs. Facebook ruling by the European Court of Justice. He concludes that there is no way that the EU and US will be able to agree to an acceptable "Safe Harbor 2" program before the deadline of January 31, 2016.

"In this upcoming transatlantic showdown, a persistent, underlying difficulty will be that the United States and Europe have very different visions of personal data protection and privacy. At the risk of overgeneralization, one could say that the American side tends to treat data protection as a consumer protection issue while Europe sees it through the lens of human rights. Europeans (especially in continental Europe) also see respect for private life as a fundamental right, a viewpoint which is less generally accepted in the United States, especially in matters of electronic privacy. "

If you're thinking that this is just a policy debate that you can leave up to the regulators and the lawyers and wait it out, you'd better think again. Many European government agencies are already taking action, as reported in this article, "No change in US law, no data transfer deals – German state DPA" by Andrew Orlowski, which appeared in The Register on October 15th:

"The data protection authority at the German federal state of Schleswig Holstein has declared that any and all data protection workarounds for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal.

In its first declaration on the post-Schrems legal landscape, the influential DPA says in a written opinion (in German) that only a change in US law can make US companies compliant with European legislation and has advised companies to adjust their business relationships accordingly.

It has warned businesses and governmental bodies that they may be fined up to €300,000 for the transfer of personal data to the US 'without a legal basis'."

So what should US companies do, according to Donald?

"Keeping European data in Europe will be a very serious option. Numerous reports have surfaced in the press about Tech companies considering the option of keeping European data in Europe, either directly or through a local partner. This sort of choice could involve significant investment and possibly the sacrifice of some of the business value in data, but it has the merit of simplicity. If transferring European personal data to the US is too much of a compliance headache, then just don’t do it."

Territory-specific Customer Clouds to the Rescue?

In March 2014, in an article entitled, Where are Your Clouds? Location Matters! I recommended a strategy for customer data -- for both B2C and B2B companies. Use territory-specific "customer clouds"  to provide flexible, secure access for customers to their own data. I wrote:

"Customers want to be able to access and manage their own information and activities from anywhere, and they want that information to be securely backed up and redundant. The most cost-effective way to satisfy customers' requirements is to take advantage of low-cost cloud computing services...One of the beauties of clouds is that you don’t care where the computers and the disks are. They can be housed in data centers anywhere in the world. But it turns out that clouds’ location matter. If you care about your customers, and you want to stay out of jail, you’ll want to pay attention to where any clouds containing customers’ information are physically located. What's the solution? Host your customer data in clouds in the jurisdictions corresponding to your customers’ home(s)."

Bottom line, I recommended that companies reverse their current cloud strategies. Don't start by housing your low-hanging, non-proprietary data in the cloud. Instead, you should lead your cloud strategy with customer data and applications hosted in secure private clouds in the jurisdictions in which those customers reside, and accessed by secure private networks that are encrypted end-to-end. Now, that Rx looks like it's pretty urgent.

But hang on, there's yet another fly in the ointment. Simply hosting customer or HR data in the person's home country may not be sufficient. The US government's position has been that if yours is a US-based company--whether it's GE, IBM, Microsoft, Google, Facebook, Amazon, Salesforce, or HP, just being a US Corporation may make ALL your data subject to US government surveillance.

Any US-based Corporation is Now Liable to US Government Surveillance Anywhere in the World?

In laying out the four negative consequences of the collapse of the Safe Harbor program, Donald Callahan concludes:

• "US Tech will take a big hit. The big losers in this situation are likely to be American Tech companies, especially the B2C Internet giants that the US government essentially bludgeoned into its mass surveillance activities. For these companies, even keeping their EU data in Europe may not be enough, if Microsoft loses its brave and principled battle against US claims of jurisdiction over emails stored in its Dublin facilities. If their data is not safe anywhere with US Tech companies, European customers will look elsewhere."

 As he intimates above, Donald Callahan also believes that the ongoing battle between Microsoft and the US government over the issue of whether or not US surveillance agencies have the right to demand access to emails stored in Microsoft's Dublin data center is also of great concern. Donald explains:

"In a different but related issue, continuing US claims to jurisdiction over data stored in the European facilities of US service providers potentially could make matters worse. In Microsoft vs the US, the company has been fighting an entirely admirable battle with the US government over emails stored in its Dublin data center. If it loses again in federal court, European confidence in US Tech – and more broadly in the United States whenever data is involved – would take another big hit.

In short, the EU and the US appear to be heading for a high stakes showdown over personal data protection ... and how it will all play out is far from clear."

 We'll come back to the Microsoft case in a separate post, but it's very much worth watching. In the meantime, here's a link to an excellent article in the Guardian, titled Microsoft Case: DOJ Says it can demand every email from any US-based provider. Donald Callahan also recommends this interview with Microsoft's General Counsel, Brad Smith.