We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Business Report

Europe Raises Barriers to American Data Transfers

Citing Snowden, a European court throws into doubt whether many U.S. companies can easily haul European data across the Atlantic.

In October the European Union’s highest court invalidated the data protection agreement known as Safe Harbor, which had allowed 4,332 American companies to transfer the personal data of the European Union’s 500 million citizens back and forth across the Atlantic.

The decision was a result of the 2013 revelations by NSA contractor Edward Snowden, which exposed the U.S. government’s access to personal data on the servers of companies like Google and Microsoft. Now, U.S. companies are facing pressure to keep the data of European users in Europe. And in some cases Europeans may be left in the hands of lesser-known companies whose main selling point is that they’re not holding data in the U.S.

This story is part of our March/April 2016 Issue
See the rest of the issue

There is little evidence that either trend will benefit cybersecurity, says Herbert Lin, a senior researcher at Stanford’s Center for International Security and Cooperation. “I would argue that in general the American IT industry is significantly ahead of the rest of the world, and if you want the best technical talent applied, you go American,” he says. He points out that intelligence agencies in the United Kingdom, Germany, and elsewhere in Europe were just as deeply implicated in the Snowden documents as their counterparts in the U.S. “Just because the data is hosted over there doesn’t change the security dimensions of it very much,” he adds.

Safe Harbor was established in 2000 as a way for American businesses operating in Europe to self-certify that they were in compliance with the stricter privacy protections afforded by law to European Union citizens, which include the right to access the personal data collected by companies, as well as the right to have that data deleted.

Prodded by the Snowden disclosures, the European court basically said it was no longer going to take American companies’ word for any of this.

With the agreement now abolished, American companies had until the end of January to demonstrate some other mode of compliance. Companies face the nightmare of either reworking all their contracts to include clauses preapproved by European regulators or asking users to provide so-called “informed consent” to every data transfer. Both options are unwieldy for many businesses, says J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals in Washington, D.C., and may make it impossible for them to operate in Europe.

First Data, a company that processes 2,300 financial transactions per second for clients in 118 countries around the world, got ahead of the ruling by bringing in lawyers to help it secure approval for its data policies from regulators in the United Kingdom in a lengthy bottom-up review of the whole company. “We had to pull in as an organization all of our teams to be able to say we’ve got the right processes and procedures in place to protect data,” says Christine Sevener, First Data’s chief privacy officer.

Others with enough cash to afford it are establishing special data centers abroad. In November, Microsoft announced that it would soon begin hosting the cloud data of E.U. citizens in Germany in partnership with a subsidiary of Deutsche Telekom. Not only does the move sidestep the issue of trans-Atlantic data transfers, but there is a clear business case to be made for it; Microsoft pointed to a study showing that 83 percent of German businesses expect their cloud provider to operate data centers locally.

Talks between U.S. and European policy makers are aimed at forging a new agreement. This will be critical to avoiding a balkanized cybersecurity landscape where companies have to deal with different rules and regulations whenever data moves across a national border.

Under the ruling, “each country in Europe is going to be responsible for determining on their own whether or not [data transfers] are valid,” says Daniel Castro, vice president of the Information Technology and Innovation Foundation, a think tank based in Washington, D.C. “So it’s not just that the court has raised the cost of compliance, but they’ve also multiplied it times all the different European Union member states.”

Blockchain is changing how the world does business, whether you’re ready or not. Learn from the experts at Business of Blockchain 2019.

Register now
Next in this Business Report
Cyber Survival

Cyberattacks are getting worse. This report examines key vulnerabilities around the world, and the innovative technological responses that are making a difference.

Want more award-winning journalism? Subscribe to Print Subscription.
  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.