Views on Hybrid Cloud Data Options in a Post-Safe Harbor World From Brian Levine, Security & Compliance Senior Director, Syncplicity

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Dictating where data are actually stored when utilizing cloud computing has become even more significant in light of the recent U.S.-EU Safe Harbor Program invalidation.

Bloomberg BNA Privacy & Data Security News Managing Editor Donald G. Aplin posed a series of questions to Brian Levine, Senior Director of Security and Compliance at Syncplicity LLC, about possible hybrid cloud options for companies facing post-Safe Harbor privacy and security compliance issues.

Bloomberg BNA:

Does the recent invalidation of the U.S.-EU Safe Harbor Program pose any particular concerns for cloud service storage providers?

Brian Levine:

Cloud service storage providers and many software as a service (SaaS) businesses are forced to evaluate their practices and determine if they have proper legal authorizations for data transfers. With Safe Harbor now invalidated, many companies may have no legal basis for the transfer of data, such as the Model Clauses, Binding Corporate Rules, or user consent. Syncplicity has long upheld privacy safeguards, and we include the Model Clauses in our Cloud Service Agreement, which upholds the privacy safeguards formerly guaranteed by Safe Harbor.

Of particular concern, this ruling now sets the stage for each member state’s national data protection authority (DPA) to begin bringing suits against companies involved in data transfer. Each of the 28 member state DPAs and courts may have different interpretations and local laws specific to that nation. It creates a complex patchwork legal environment now for cloud service providers to operate in.

The potential financial impacts are also significant. In addition to the internal operational updates that may be required, companies may be subject to fines from European courts for non-compliance. For example, in Germany, unlawful transfers of data are punishable by fines up to 300,000 euros ($322,143) per individual. 
Bloomberg BNA:

How might a hybrid cloud service ameliorate those problems?

Levine:

A hybrid cloud solution, such as Syncplicity’s policy-driven hybrid cloud, lets European customers choose where their data gets stored and processed—so data created in Europe stays in Europe, eliminating international data transfer concerns.

With a hybrid cloud, customers can use multiple clouds, public and private, in multiple geographic regions. Using storage policies, customers determine which data gets stored in a public cloud, which data gets stored in a private cloud, and under which national sovereignty the data should remain. Rules based on parameters, such as the users’ nationality or the sensitivity level of data, can dictate where data is stored to meet security, privacy, and confidentiality needs. For example, Syncplicity’s multinational customers set storage policies which store U.S.-based employee data in the U.S., and European-based employee data in Europe.

Bloomberg BNA:

If the hybrid cloud set-up takes care of the data storage localization problem, how then might technological solutions address subsequent data transfer issues?

Levine:

Encrypting data before storing it in the cloud is one solution, and there are some technical offerings on the market today that offer this. Any solution that gives the customer ownership of the encryption key, should also make sure that the provider never sees the private data in plain-text.

Providing the end-user ownership of the encryption keys is of little value if the provider has access to the plaintext (unencrypted data). This is an important distinction that consumers should understand when looking at any so-called key management solution.

Bloomberg BNA:

Do you foresee a time when encryption in the control of the data subject or other data security safeguards might render concerns about maintaining the privacy of personal transferred to the U.S. moot?

Levine:

Yes, already today Syncplicity offers some advanced encryption solutions which render many of the concerns irrelevant. For example, our Secure Shared Files feature places an encrypted wrapper around files and controls who and where the file can be read, no matter where the data is transferred. I can save a file and mark it as accessible only in Germany, using geolocation, the data will only be decrypted when the user tries to access it while in Germany. In this respect, the file can be stored anywhere, but content safeguards protect it regardless of the storage location.

On a wider scale, it is encouraging to see advances by companies like Apple Inc., Facebook Inc. and Google Inc. to strengthen the encryption of their products. For example, with the latest release of Android, encryption is on by default (previously the user had to opt-in for encryption). Also, with each release of iPhone, Apple is building stronger and stronger encryption and privacy protection. Facebook is now offering pretty-good-privacy (PGP) keys to encrypt messages sent from Facebook to consumers.

While the U.S. government is pushing for “backdoors” and other mechanisms to circumvent these controls, the industry is taking a clear stand to increase consumer protections and safeguards for sensitive data. Syncplicity is strongly aligned with this direction as well and we provide some of the most advanced protocols and confidentiality controls in the industry, such as StorageVault Authentication for protecting identity and confidentiality in the hybrid cloud. 

Bloomberg BNA:

What do you think the chances are that some sort of Safe Harbor 2.0 is possible?

Levine:

I think there is a high probability we will eventually see a new agreement worked out between the EU t and the U.S.. The economics certainly favor a new agreement, and political representatives on both sides have made recent public statements expressing a strong desire to work it out. The time-frame for a Safe Harbor 2.0 really depends on Europe’s stance and the U.S.'s willingness to allow for strong limitations and safeguards on access to personal data by U.S. public authorities. This could force an extended impasse, as Europe won’t agree to anything they believe will get shot down by the European Court of Justice or various data protection authorities.

In an Oct. 16 statement, The Article 29 Working Party has threatened they will begin concerted legal actions, if a solution is not identified by the end of January 2016: “If by the end of January 2016, no appropriate solution is found with the U.S. authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

Again, using a hybrid cloud storage solution like Syncplicity enables companies to host cloud data confined to a specific region, avoiding the potential for legal action by a DPA.