Microsoft’s Brad Smith on the Collapse of Safe Harbor

Microsoft’s Brad Smith on the Collapse of Safe Harbor
By schneier

Microsoft’s President Brad Smith has a blog post discussing what to do now that the US-EU safe-harbor agreement has collapsed.

He outlines four steps:

First, we need to ensure across the Atlantic that people’s legal rights move with their data. This is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand access to personal information that is stored in the United States and belongs to an EU national in a manner that conforms with EU law, and vice versa.

Second, this requires a new trans-Atlantic agreement that creates not just a safe harbor, but a new type of connection between two ports. We need to create an expedited process for governmental entities in the U.S. and EU to access personal online information that is moved across the Atlantic and belongs to each other’s citizens by serving lawful requests directly with the appropriate authority in an individual’s home country. The requesting government would seek information only within the limits of its own laws, and its request then would be reviewed promptly by the appropriate government authority in the user’s country of nationality. If the designated authority determines the request is consistent with the privacy protections and other requirements of the citizen’s local law, it would validate and give it legal effect, authorizing disclosure.


Third, there should be an exception to this approach for citizens who move physically across the Atlantic. For example, the U.S. government should be permitted to turn solely to its own courts under U.S. law to obtain data about EU citizens that move to the United States, and the same is true for a European government when U.S. citizens reside there. This is consistent with longstanding legal principles, as well as the practical reality that public safety issues are most pronounced when an individual is physically present in a jurisdiction.

Finally, it makes sense, except in the most limited circumstances, for governments on both sides of the Atlantic to agree that they will seek to access the content of a legitimate business only by means of service on that business, even when it is stored in the cloud. This would address one of the principal areas of current legal concern for businesses that are relying on cloud services.

We can, and should, argue the details. But this seems like a good place to start for this set of issues.

Three news articles.

October 26, 2015 at 01:40PM
via Schneier on Security