Safe Harbor: Is it safe ?

Safe Harbor is a US government program in co-operation with the EU and Swiss governments providing self-certification for companies concerning the security of data gathered outside of the USA, but residing on servers within the USA. It tells the overseas participants, the EU and Switzerland, that the data will be kept private and secure within the USA. Norway, Iceland and Liechtenstein have also agreed to be bound by this agreement.  You can find out if a company is Safe Harbor compliant on the Safe Harbor website, http://www.export.gov/safeharbor/ .

The Safe Harbor framework is vital for any company in the US that carries out data collection (data import in Safe Harbor terms) in Europe using computer systems based in the USA. Without it, the nightmare of having to comply with 30 countries differing security requirements would be crippling to data collection activities.

The introduction by CASRO (casro.org) of a Safe Harbor assistance program is a tremendous help to US based MR or survey companies who carry out research in Europe. This program makes it easier for CASRO members to become Safe Harbor certified and also provides a mediation channel for dispute resolution, a requirement for Safe Harbor compliance.

So all is right in the world. Become Safe Harbor compliant and you are now all set to collect data from Europe without violating any security requirements of European countries!

The problem is that this isn’t quite true.

There is a threat to Safe Harbor and it raises the specter of a world without a substantial Safe Harbor system. This threat started in Düsseldorf, Germany in 2010. Germany has a federal system of regional government, each of the 16 states within the German federation has significant legal powers. In April of 2010 the “Düsseldorf Circle” met. This was an informal group of data protection officials from each of the 16 states within Germany. They passed a resolution that meant that they no longer accepted membership to the Safe Harbor agreement as reliable enough to allow data collection by US entities within each of the German states. They stated that there was a requirement for further due diligence on the part of German companies “exporting” data to the US beyond those required by Safe Harbor. In short, they needed to undertake their own due diligence with the US data importer and the onus is on the German companies to make sure they are satisfied that the US importer is secure enough.

In practice this means that when you agree a deal with a multinational European company to collect data from all their companies in Europe, you have to not only be a member of the Safe Harbor program but often also sign a separate agreement with the Germany subsidiary company because of German federal law. It also applies to global US based companies; the German subsidiary will often require an agreement of their own. This agreement is often part of the EU directive on data storage, a sort of re-affirmation that the data will be kept safe while in the US. Sometimes the German company simply decided not to be part of the global master agreement and to use local facilities to store German data so it never crosses the shores of the USA.

So far this seems only to be happening with Germany, but it represents a crack in the Safe Harbor system. The United Kingdom has some very strict laws regarding data collection and privacy. For instance, you have to actively agree to allow websites to use cookies on your computer. All UK websites will ask for this permission when you first visit them. Very often UK companies will require that data collected within the UK resides on servers in the UK and that it is not exported to the USA. This trend is becoming more common, companies want their data in the their country. It may only be a matter of time before other European countries follow the lead of Germany and require data exporters to have their own agreements, outside of Safe Harbor, with US data importers.

After the controversy surrounding the revelations by Edward Snowden concerning the USA and government spying, the USA is unfortunately regarded with suspicion in much of Europe when it comes to data security. Earlier last year the French and German governments held talks regarding an Internet communications system that would avoid data (mainly email) passing through the USA to shield it from USA government spying. This shows the level of concern in Europe about USA data security.  It is not in anyone’s interest to go back to having agreements with each nation within the EU concerning data exporting to the USA, it will be very time consuming, chaotic and only to serve to stifle business for US companies who want to collect data globally.

Companies such as Amazon can provide one possible technical solution to local country storage requirements. Amazon, along with selling anything you could possibly think of, also sells cloud-computing resources via “Amazon Web Services” (AWS). AWS is also able to localize the cloud services so that your data can be in a specific place, for instance Frankfurt or Ireland. It could be a solution for US based companies gathering data but needing the data to be stored in another country. But it is by no means simple to split data storage across facilities in this way, so while it sounds like a solution, implementing it could be harder than it looks.

Safe Harbor is very much in the interest of global MR client companies. It allows streamlined data collection operations from a single US source, rather than having to have data collected from many different countries individually. It makes data collection much more efficient and hence more economic, not to mention cutting down the time taken to implement data collection agreements. Safe harbor is vital to US data collection companies and needs to be kept safe.