This week, we were contacted by a customer who had concerns about a European Union / United States data privacy pact known as Safe Harbour, and the fact it was struck down by a European court.
The principles of Safe Harbour were developed in 1998-2000, and were designed to protect information about European Union consumers and how their information was to be handled by companies in the United States, with whom those consumers did business. Within the European Union, existing privacy laws already stringently protected those consumers. Once that information transited international waters, what protections would those consumers have?
With a tremendous number of international website hosting and data processing services erupting out of the United States in the early 2000’s, the need for Safe Harbour was very clear. If European companies were to entrust the handling and storage of their customers’ information to overseas hosting services, and if those companies were held accountable to stringent European Union privacy laws, then some mechanism must be in place to offer assurances to those European businesses, as well as enforce privacy expectations on the part of their American vendors.
Hence, the Safe Harbour pact.
The agreement was designed to protect European Union consumers’ information and details how that information should be stored and protected by American businesses, and if it were to be shared with third parties, done in such a way that consumers had the ability to opt out and/or change information as they deemed fit. The agreement, which seems completely fair to me (as a consumer), was put in place at the start of the Millennium and since that time has offered the necessary assurances. At least, until, earlier this month, when a European court struck down the provisions of the agreement.
A consumer complaint was filed with the Irish Data Protection authority, stemming from Facebook’s handling of personal information by a European Union citizen. Facebook’s European office is based in Ireland, as are many high-tech firms. The Austrian consumer was concerned about revelations from former-NSA contractor Edward Snowden’s 2013 admission that the U.S. spy outfit had access to personal information of Facebook users — which directly flew in the face of the Safe Harbour agreement. Whether true or not, it brought to light the fact that Safe Harbour is only meaningful if companies honor it.
Facebook has denied any knowledge of permitting open access to their data. And to be fair to the company, few Facebook users adequately secure their data, despite a myriad of privacy options. To demonstrate, try typing your full name (or the name of someone you know) with quotation marks (“John A. Doe”) or Facebook username (“john.a.doe.222”) into a Google search bar, and watch what comes up. Unless you’ve been very, very good about restricting the information you share about yourself, including any approved applications or “Farm-” games — all of which demand access to personal information and friend lists — then you’ve made it impossibly easy for any person, group, government or spy organization, etc., to obtain your information and without any sort of hacking. All they need is simply the ability to scan search engine results, to learn all they want to know about you.
On October 6, 2015, European courts were either so greatly concerned about the lack of awareness on the part of European consumers for protecting their information from public search engine use, or given reason to believe Facebook was knowingly sharing its data openly with the American spy organizations, that it ruled Safe Harbour invalid.
So… what does this mean?
- For American companies hosting European consumer data, it means a potentially huge loss of trust with their European customers.
- For European companies using American hosting and data storage services, it means potentially huge liabilities and risk from continued U.S. data storage operations.
That said, all is certainly not lost.
Looking back at when Safe Harbour was first agreed to by E.U. and U.S. governments, it was almost to the day when our company first started. One of our founding team members, who lives in Scotland, helped bring awareness to the issues. From the get-go, Canvas Host (then “Canvas Dreams”) instituted self-administered policies to comply with the legislation. It was simply the right thing to do.
And, despite the law being struck down earlier this month, Canvas Host, as a self-administered private business in a largely unregulated industry, will continue to uphold all of the points highlighted in the original Safe Harbour agreements. We extend this to ALL customers, not simply those based in the European Union.
Safe Harbour is a a matter of protecting the privacy of and information about our customers that is stored on our network. We have always upheld customers’ privacy and protection however best we can. It is admittedly a moving target in response to new industry developments, or new software options, or new business policies and certifications. And yet, if you were to look back on our history, you would see that if anything, we have moved ever more towards increasing protection of customer data in our network.
Here is a link to the original Safe Harbour legislation:
The rules are fairly straight forward. In according with Safe Harbour, among other things, a company must inform its customers of the type of data collected and how it is to be used; The company has to grant customers the ability to limit how that information is used or accessed; And the company must grant customers the ability to opt out of communications or data-sharing partnerships. For the record, Canvas Host has never participating in any data sharing with any third-party entity. The only circumstance in which we would ever do such a thing, would be if compelled by a U.S. Court order, which has never occurred in the history of our company.
Beyond this, Canvas Host is a certified B Corporation. We operate on a higher level of ethics than traditional business, and undergo a stringent third-party credentialing every two years. Each time, we improve upon our credential score, which signifies an ever-improving business model aimed and at supporting people, planet, and profit, not profit alone. You can read more about B Corporations here:
Work is underway to restore Safe Harbour is some capacity and to repair broken trust. It is admittedly difficult as a privately operated business, wishing we could do more to help that process along, so here is my challenge to you as a reader:
If you are a citizen of the European Union, you might try contacting the office of your local MEP (Member of the European Parliament) to express your concerns about data privacy. You can look up your local office here:
European Parliament Information Offices:
If you are a citizen of the United States, you might try contacting your local Representative or Senator.
House of Representatives, by State and District:
State Senators, by State:
In the past, I have written to my representatives and senators, and have received letters and responses from them. Our elected officials do listen and are charged with hearing the will of the people.
All that said, regardless of whether Safe Harbour have been struck down, I want to offer you, the reader, assurances that Canvas Host works very hard to protect the privacy rights of all customers, regardless of where they are located or what laws are in place.
I welcome your thoughts and insights. Send us your comment, at sales [at] canvashost [dot] com.
David Anderson, Owner
Wikipedia: European Union Data Protection Directive
Wikipedia: European Union Safe Harbour Principles
Article: European Court Invalidates Safe Harbour Pact