Safe Harbor: The Access Control Quandary

When it comes to the way personal data is handled in the global economy, this changes everything. Well at least it does for the 4,500 organizations that participate in the Safe Harbor agreement; they can no longer transfer EU citizens’ data to US in the way it’s been done (legally) for the past 15 years. For followers of all things privacy, this is not a big surprise, as the way enterprises collect and process data has changed beyond all recognition since Safe Harbor was commissioned.

Consider that at the inception of Safe Harbor in 2000, Bill Clinton was President of the United States, Y2K rolled in without a major crisis and American Beauty won five Oscars. For further historical reference on the evolution of Safe Harbor, we’ll have to go back to 1995 when Windows 95 was released, DVDs were announced and Shaggy, Coolio and Hootie and the Blowfish(!) were in the pop charts. Let’s just say October’s Safe Harbor ruling was long overdue.

 

Since 1995 there has been an EU privacy directive, which among other things banned data transfer to countries not deemed to have adequate protection, except in certain circumstances. Very few were deemed adequate and the US wasn’t among them.
Since 2000, under the Safe Harbor agreement, companies could transfer, process and store data in the US if the companies agreed to stricter data protections. But recent revelations about US security practices gave rise to challenges to Safe harbor.
After the October 2015 ruling, national regulators will be able to investigate data transfers to determine whether they comply with EU law. Companies now must use alternative methods to validate transfers of personal data outside of the EU.

Declaring Safe Harbor invalid is only the third major ruling in modern times regarding the transfer of European citizens’ personal data**.

Of course some companies are better prepared than others for this shift. Some enterprises already have a dedicated server in Europe or have Standard EU Model clauses in place (click on the link below to read more on these) and are sharing data in accordingly. If your organization is one that was not prepared for this change (and you’re not alone) you should read the five things you should know about Safe Harbor to understand the landscape and what your options are.

The end of Safe Harbor may just be the first hurdle facing organizations with operations in the US and throughout Europe. An ongoing landmark case in Europe could have yet further impact on European personal data privacy. To cut a long story short (the long story is available here), Weltimmo, a Slovakia-based property website that operates in Hungary, shared advertisers’ personal data with a Hungarian debt collection agency to recover contested unpaid invoices. And in doing so violated Hungarian law. The Hungarian authorities fined Weltimmo €32,000, and when the company refused to pay the fine the case went to the European Court of Justice. The Court recently ruled in favor of the Hungarian data protection authority against Weltimmo.

Why is this so important? Well, if you have a real and effective activity and/or presence in any specific European country, this ruling suggests you can be subject to the data privacy legislation of that jurisdiction. So if you have operations in several European countries, then you will be subject to each of their regulations, regardless of where personal data is stored or processed.

This means access to personal data needs to be dynamically managed per user, per customer, and per jurisdiction. And thankfully, you’re at the home of dynamic authorization.

There are 28 countries in the EU and four more European countries – Iceland, Norway, Switzerland and Liechtenstein – in Schengen. That means being compliant with the regulations of up to 32 jurisdictions.

Learn more about how our solutions work with Safe Harbor here.
Don’t miss the ABAC factor blog mentioned above.

*Accenture 2014 Compliance Risk Study – Compliance’s Seat at the Table – Hard to Earn, Hard to Retain

**Source: Data in the Dock, Wall Street Journal, Oct 6th, 2015.Source: staff reports THE WALL STREET JOURNAL

Other Blogs

3 keys to re-evaluate your authorization management
Business
On May 27, I had the pleasure to join the KuppingerCole KCLive event with several industry peers in a panel discussion about  “Enabling the Future...
How OAuth is related to Attribute Based Access Control
Tech
What is Authorization? Authorization, also referred to as Access Control, is the process that follows authentication (which checks your identity and ensures that you are...
Modern Enterprise Authorization Management System
Business
Gartner has an interesting article titled “Modernize Your Runtime Authorization” that highlights some aspects you need from a modern enterprise authorization systems. Over the years...