On 6th October 2015, the European Court of Justice declared the Safe Harbour agreement invalid. This means that US companies can no longer self certify that they provide “adequate protection” in line with the EU Data Protection Regulation when storing and processing personal data from citizens in Europe. As federations have an understandable interest in data protection and user privacy, REFEDS has been following this story with interest.
What Is / Was “Safe Harbor”?
Safe Harbor was a privacy treaty between the EU and the US. Under the current EU legislation, organisations within the EU cannot exchange data with countries outside of the EEA (European Economic Area) unless there are suitable mechanisms in place. Safe Harbor was a treaty agreement that essentially allowed organisations in the US to claim to meet those requirements via a self-assessed process and a registry of those organisations. Somewhat ironically for the NREN community many of the organisations that we would have strong relationships with (education institutions, charities etc.) were not eligible for Safe Harbor. For cross-university collaborations little has changed at this point in time. The ruling is however more concerning for those that outsource services to companies in the US.
Why Have Things Changed?
In the current technology landscape of social media dominance, Safe Harbor was a big deal for many US companies who make their business around personal data. This was an easy way to ensure that services could be rolled out on a global scale with minimal legal boundaries. However a series of data breaches, concerns about tactics used by commercial organisations to gain data and revelations about access to data by US intelligence forces has led to this recommended change in approach by the Court of Justice. This forms part of a overarching review of data protection law within the EU as we move towards the General Data Protection Regulation.
What do NRENS and NREN Partners Say?
- SURFnet have released a news item with advice for their members.
- Andrew Cormack from Jisc has a blog post with advice and general information around Safe Harbor – his blog is well worth a deeper read regarding data protection and privacy issues.
- ORCID have a news item on how the decision will affect ORCID users.
- There is an interesting letter in the Financial Times from Unity on the benefits of using academic identity federations in light of this ruling. (paywall).
Attribute Release within Federations
REFEDS has long advocated against relying on catch-all approaches to data protection and recommends that institutions adopt a risk-assessment approach to releasing data. REFEDS recommends using a seven-step balance test before deciding on release processes, based on advice from the Article 29 Working Party.
Both the GÉANT Code of Conduct and the REFEDS Research and Scholarship Entity Categories are mechanisms that support informed and assessed release of information to Service Providers and give assurances to Identity Providers that adequate protection for users is in place. As the Code of Conduct is based directly on EU regulation, it will not be recommended for use with Safe Harbour organisations in the future.
The REFEDS wiki also details all of the ways in which organiations in the EU are allowed to release data. As well as the “legitimate interests” approach, which forms the backbone of entity categories, contractual reasons and consent remain valid options as long as the specific requirements for those approaches are met.
If you have any questions or concerns about how the Safe Harbor ruling will affect you, your users and your implementation of federated identity approaches please do get in contact with us.