In the past two years we’ve witnessed various events that have had an impact on the open character of the Internet. In October 2015 European Net Neutrality rules were published, providing guidelines for regulation, but they were criticized by many as being too open and leaving too much room for uncompetitive behavior (here’s an example). In June 2015 the FCC published its US Open Internet order along the line of “no blocking, no throttling, no paid prioritization”, driving a significant change in the IP Interconnection landscape especially. In parallel, we saw ongoing consolidation on the side of the ISPs, with large ones absorbing their smaller competitors or other players in the digital value chain (e.g. cloud hosting services, “Over-The-Top” – OTT – video services) or even merging with mobile providers. Another trend we saw was the launch of services for which the related Internet traffic is not counted towards the “monthly data budget” of the customer, typically referred to as “zero rating”.
Some weeks ago we informed you of the EU-US Privacy Shield, announced by the European Commission on February 2, 2016 meaning a new arrangement for transatlantic data flows between the EU and US. In this blog you can read recent developments of the EU-US Privacy Shield and alternative solutions offered by LeaseWeb.
EU US Privacy Shield in the making
We have known since October 2015 that the US Safe Harbor regime is invalid, meaning that personal data of Europeans can no longer be transferred by a company to US Safe Harbor certified companies. Monday 29 February 2016, the European Commission published the details of the EU-US Privacy Shield that should replace the Safe Harbor certifications.
After my previous blog last month we were still looking out for any news about solutions for the Safe Harbor invalidation. Since the press release of the EU US Privacy Shield, announced by the European Commission on February 2, 2016, we have seen many press articles and numerous links. So here is our update and recap on the timing of the EU US Privacy Shield and alternative solutions offered by LeaseWeb.
On January 1, 2016, the new Dutch Law on Data Breach Notifications came into effect. Organizations – both companies and government agencies – are now required to immediately report any serious data breach to the Dutch Data Protection Authority (Authoriteit Persoonsgegevens). And, if it is likely that the data breach will have an adverse effect on the privacy of those involved, those people have to be informed as well.
A data breach is defined as the act of accessing, deleting, modifying or releasing personal data, committed unintentionally by the organization. Not only releasing (e.g. leaking) personal data, but also the illegal processing of data, will be seen as a data breach. Examples of data breaches are a lost USB stick containing personal data, a stolen smartphone or malicious access to a database by a hacker.
In October last year, the US Safe Harbor regime was invalidated by Europe’s Court of Justice, meaning that personal data of Europeans could no longer be transferred by a company to US companies solely on the basis of such companies being Safe Harbor-certified.
At the time of the ruling, no replacement for the Safe Harbor principle was proposed. The European Commission gave itself a 3-months term to come up with an alternative solution, working towards January 31, 2016. It is not likely that this timeline will be met but we expect new developments to be made public in the coming weeks.
“The Court of Justice declares that the Commission’s U.S. Safe Harbour Decision is invalid.”
The Safe Harbour arrangement has been in place since 2000. It was formalized by the European Commission’s Safe Harbour Decision (2000/520/EC), and permitted the transfer of personal data of
Europeans to the U.S., to companies that are self-certified under the Safe Harbor Privacy Principles
and registered with the U.S. Department of Commerce.
Last Tuesday, in a landmark judgment, the European Court of Justice – Europe’s highest court – declared the Safe Harbour Decision invalid. At present, it is not yet fully clear what the consequences will be of this judgment of the ECJ. What is clear, however, is that data should no longer be transferred to U.S. organizations solely on the basis they are Safe Harbour-certified. Companies that transfer personal data from the EU to the U.S., or rely on the processing of personal data in the U.S., will need to review their data flows for compliance with EU data protection law. They will likely need to consider alternative cross-border transfer solutions, e.g. by applying binding corporate rules, EU model contract clauses and/or obtaining individual persons’ consent for the transfer of their data. That operation will be time consuming and expensive. All this could potentially have serious implications for cloud hosting providers and their customers, who are suddenly faced with data residency issues.
EU court strikes down trans-Atlantic ‘safe harbor’ data-transfer pact. Decision will affect around 4,500 companies. http://t.co/Xn4TxivBAz
— Wall Street Journal (@WSJ) 6 oktober 2015
This is the third installment of LeaseWeb’s bi-annually Law Enforcement Transparency Report. It shows the number of demands we received in the prior six months. The figures below are for the period of July 1st – December 31st, 2013.
LeaseWeb believes that clients and other stakeholders deserve a clear articulation of LeaseWeb’s obligations and responsibilities to increase their understanding on how we ensure the highest quality of service, while adhering to the law. Customers are increasingly using technology to communicate and to store private and sensitive information. Like others in the technology industry, we believe it is important for the public to have transparent information about law enforcement access to customer data.