Waves of EU NSA Resentment Rising Against Safe Harbor Program: Cloud Software Model in Danger?

by Veronica Blatt

image of open padlock with keyboardToday’s guest blogger is Martin Snyder, Main Sequence Technology. Founded in 1998, Main Sequence Technology creates talent acquisition technology solutions wherever and however organizations are built. PCRecruiter is the solution of choice for thousands of third party recruitment, corporate, and outsourced staffing teams across economic models and around the world. PCRecruiter provides comprehensive CRM and ATS functionality converged into database, voice, and email interfaces to empower recruiters to do what they do best with accessible, cost effective technology. Main Sequence is proud to serve the NPA organization and our many individual NPA affiliated customers. To learn more, please visit www.pcrecruiter.net. In his post, Martin addresses how a recent political development could potentially impact recruiting.

Sometimes geopolitical events can come knocking on your own door. As a software vendor of recruiting solutions for customers in many global markets, my employer, Main Sequence Technology, is subject to different laws relating to protection of personal information. Recently, there have been news events regarding the European Union’s Data Protection Authorities (DPA’s) response to the 2013 revelations of massive data sweeping activities directed by or conducted by the government of the United States.

There have been variations in how these recent events have been described.

The Financial Times reported that, “This month, Viviane Reding, the EU’s justice commissioner, warned that the quintessential agreement that makes transatlantic technology business run so seamlessly – the so-called safe harbour directive that allows US groups to operate under American privacy rules while doing business in Europe – will now be reconsidered.”

On 24 July, 2013, the EU Office of the Federal Commissioner for Data Protection and Freedom of Information issued a statement following several weeks of varying activity among the EU DPA community. Bloomberg reported, “German data protection authorities July 24 announced a crackdown on privacy violations involving countries outside the European Union and called for the German government to suspend participation in the U.S.-EU Safe Harbor Program.”

There is a wide range of potential meaning in those two reports. A crackdown could mean immediate and increased enforcements, while a reconsideration would mean no immediate changes. The authorities are either calling for suspension or merely for review. Hunton & Williams LLP reported, “In light of recent developments, the German Commissioners have decided to review whether to suspend data transfers carried out pursuant to the Safe Harbor Agreement and EU standard contractual clauses.”

The text of the Federal Commissioner for Data Protection and Freedom of Information statement states:

“The Conference therefore calls on the Federal Government to provide a plausible explanation of how the unlimited access of foreign intelligence services to personal data of persons in Germany is effectively limited in line with the principles referred to. Until this is guaranteed, the data protection supervisory authorities will not issue any new permission for data transfer to non-EU countries (for example also for the use of certain cloud services) and will examine whether such data transfers should be suspended on the basis of the Safe Harbour framework and the standard contractual clauses.”

Like the reports on the events, the consequences of any changes have been reported in various ways. The Financial Times reported, “If a U.S. provider offers encrypted means of storing [data] in a cloud that would be a technical alternative to increase security. We would consider these measures as we think about whether to grant permission for a data transfer,” said Alexander Dix, data protection commissioner for Berlin, while other observers have concluded that should Safe Harbor be repudiated, American companies doing business in the EU would need to host the data outside of the United States, at least, to remain viable.

How serious are these threats? If you are an EU customer using an American cloud service, are you at risk for disruption? What would American vendors do should Safe Harbor be repudiated? What are the odds of real trouble here?

The threats are serious because they have been made, but on the other hand, these treaties involve the highest levels of commerce and government, and when that happens, things don’t usually move very fast. In the event of repudiation, there would have to be some kind of adjustment period, during which vendors would need to assess their ability to continue providing service under the new regime(s) for each market. In our case, our flagship solution, PCRecruiter, is installed on hundreds of private webservers around the world, so we would likely be able to find suitable hosting arrangements quickly should the need arise. Other cloud vendors may not be so well-positioned.

This is a complex and dynamic situation. American tech companies are notably libertarian and the politics in the United States are in a historically unusual spot with the leftward and currently in-power party being the hawks on this issue. I know that our company has an unshakable commitment to the fundamental principles of data protection; necessity, proportionality and limited purposes in the stewardship of personal information. This one bears some close watching as it could be the kind of trade issue that develops as globalization really starts hitting hard walls of law and custom in various places.

button to subscribe to NPA blog

Please ensure Javascript is enabled for purposes of website accessibility