Europe Raises Red Flag over Safe Harbour's Choppy Waters

There’s general agreement that Safe Harbour is no longer fit for purpose, less so on alternatives

The Safe Harbour data sharing relationship between Europe and the US has blood in the water and a number of circling sharks. Safe Harbour is a provision that extends the trust that European states share over the treatment of local data to the US. It has been around since 2004 and the arrangement has been cosy enough, but the last year has seen revelations that have shaken European trust in it to its core.

Safe Harbour was supposed to be just that, a safe, secure way of moving and sharing data but now, if reports are to be believed, it harbours threats. Massive hacks on US companies and their servers have muddied the question of trust, and what trust there is has been perhaps irreparably damaged by the allegations of wholesale snooping by the US on the most innocuous of European properties.

Since last summer, when revelations about the US National Security Agency, and to a lesser extent, the UK’S GCHQ, came to light, ministers from the European Commission have been considering whether to apply a firm edit to the rules or get rid of them altogether.

Late last year MEP Claude Moraes said that the decade-old agreement is no longer adequate. Then, he was calling for the EC to suspend the non-binding arrangement and an inquiry at the European Parliament.

“The leaks from Edward Snowden have thrown into the spotlight the inadequacies of the Safe Harbour framework in terms of protecting EU citizens from mass surveillance of the NSA and in particular the vulnerabilities behind EU citizens’ data sovereignty when it comes to cloud computing,” he said.

“It is clear that the existing Safe Harbour agreement does not offer EU citizens any protection against either Foreign Intelligence Surveillance Act (FISA) or Patriot Act in the US. It can no longer be considered to be a viable mechanism for cross-border flows from the EU to the US.”

Moraes is not the only fisherman to patrol the seas in the harbour, and the German Chancellor Angela Merkel has made repeated noises about the agreement and whether it is worth pursuing any longer.

Merkel, who may have been monitored by the US agency for as long as the Safe Harbour arrangement has been in place, is mooting whether Germany and France should pursue their own data network, one that does not include either the US or UK.

“We'll talk with France about how we can maintain a high level of data protection," she said in a podcast where she discussed an upcoming meeting with French President, François Hollande.

"Above all, we'll talk about European providers that offer security for our citizens, so that one shouldn't have to send emails and other information across the Atlantic. Rather, one could build up a communication network inside Europe."

Also vocal is the European Union Commissioner for Justice Viviane Reding who has called for a change programme.

"For Safe Harbour to be fully roadworthy the US will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended," she said.

"Secondly, we have to agree on strong data protection rules in the law enforcement context. We need a robust EU-US data protection agreement in the law enforcement sector (the so-called Umbrella Agreement) which ensures EU citizens keep their rights when their data is processed in the US."

Not everyone agrees with this of course, and some experts suggest that the US is very well placed to preserve data, whatever the evidence suggests.

“The US government, with some exceptionally strong technical leadership in the Federal Trade Commission (FTC), is taking a leading role in protecting consumer security and privacy in the US," said Gary McGraw, CTO of software security consulting specialist Cigital, when polled on Safe Harbour’s prospects.

One alternative to Safe Harbour are the Binding Corporate Rules (BCRs). These can be used by multinationals that want to move data between their own entities.

David Harley, senior research fellow at global security firm ESET, suggested that any data protection rules were equally likely to be muddied in this world of “increasing sophistication of surveillance operations” and recommended that accord be reached over Safe Harbour.

“A particular difficulty arises when, even if an individual’s right to opt out is observed, he or she isn’t necessarily aware that transfer is taking place to a region where protection is limited when surveillance is considered justified for reasons of national security,” he said.

“In the real world, I’m not sure that the protection afforded by 95/46/EC compliance in European states has much less potential for infraction than the Safe Harbor rules. We can only hope that the proposed General Data Protection Regulation will raise EU data protection standards and the US Department of Commerce and Federal Trade Commission will improve the functionality and enforcement of Safe Harbour, not only to ensure that the national security exemption is not misused, but also in accordance with the enhanced GDPR.”

Currently the FTC has a relatively relaxed attitude to Safe Harbour breaches. It reminds us that certification is self-awarded and that firms should consider how appropriate its use is.

Whatever the EC decides to do, it faces a considerable challenge, not least of all in keeping all parties happy, but also when it comes to restoring a bit of trust in the systems that we have grown to rely on.

Rick Falkvinge, the leader of the original Pirate Party and an outspoken privacy campaigner, called the idea of a European network “a silly idea”, adding that it “can only be conceived by somebody who gets their emails printed for them by their secretaries.”

He added that Safe Harbour is washed up and suggested that companies look to their own shores for areas like cloud storage.

“NSA's wholesale, indiscriminate spying is a blatant violation of the social contract, of people's rights, and a so thorough breach of trust that it will take decades to repair. Safe Harbour is essentially dead. While European citizens can share their personal data with a US-based company on a voluntary basis, they need to understand and recognise that it effectively amounts to a publication of that data,” he said.

“The EU Parliament needs to recognise the shifted landscape and immediately revoke existing sharing of citizen data with the United States. European data must be subjected to considerably stricter information hygiene than has been applied or considered so far.”


David Neal has been writing about technology since the Millennium Bug. He’s survived Alta Vista and the I Love You virus, and now works from his home in Kent.