Is safe harbor really needed? hero graphic

Is safe harbor really needed?

Posted On

By Phil Keys

On October 6th, 2015 the European Court of Justice (ECJ) announced that it would be invalidating the US-EU Safe Harbor Decision (Safe Harbor). As background, Safe Harbor is the European Commission’s directive for regulating under what circumstances US entities can collect personal data of European Union citizens. The ECJ decision now makes it very difficult for US companies – particularly global US Internet companies –  to do business in Europe. While a lot of activity focuses on coming up with a new legal framework to satisfy the ECJ, Intertrust is working on secure cloud technologies that will let international services do business in Europe while complying with EU laws on personal data protection.

In this discussion, it is important to note that collection and use of personal data across international borders has ramifications beyond advertising-based business models. For example, in today’s world, the spread of new communicable diseases beyond a country’s borders takes just one plane ride. Once a certain disease is detected in one country, it would be useful for health authorities to access international travel information on patients. Also, in today’s IoT world, there is a lot of interest in cloud-based analytics systems. These systems can help the various connected devices an individual or family owns, perform useful services such as reducing energy usage, monitoring health conditions, making homes more comfortable, etc. With many of these systems coming out of the US, EU citizens should not be deprived of these benefits.

Old Technology vs. New

One issue with the old Safe Harbor is that it was based on older technology that forced US entities to gather personal data in US-based repositories for processing. This is no longer necessary. Modern cloud and security technologies give us the ability to process geographically distributed personal data while protecting personal privacy.

At Intertrust, we call this technology a trusted intermediary. A trusted intermediary is a cloud-based service which manages access to personal data. With the trusted intermediary, organizations can use personal data for useful services without violating privacy. Essentially, the trusted intermediary just takes the attributes that are needed for the service to work without holding or passing on any personally identifiable information. Modern cloud technologies mean such personal data can be held anywhere, not necessarily in the same geographical location as the organization providing the service. By using trusted intermediary technology, a US organization could get the attribute information that it needs for services from personal data held in cloud servers located in the EU. EU citizen personal data can remain in the EU protected by EU law and also used by US organizations to provide services to EU citizens.

Making Genetic Data Useful

Intertrust is already working on international services using trusted intermediary technology. One called Genecloud gives researchers access to sensitive genetic data over the Internet. What Genecloud does is take a researcher’s program — like looking for a certain genetic trait that indicates susceptibility to a disease — and manages it in such a way that it only accesses the genetic trait information it is looking for and not any personally identifiable information. The program is also managed so that the program is brought to where the data resides, not the other way around. By using Genecloud, organizations holding genetic data can continue to keep their data in the country and follow national laws restricting the release of this data while making it useful for researchers around the world.

Genecloud is just one use of the trusted intermediary technology, which also has many other applications in industries such as advertising. If trusted intermediary advertising services were available, they could allow advertising-backed US online companies to provide their services to EU citizens without the necessity of bringing that data to the US.