Exec summary: If you are storing European visitor data on servers based in the USA (most busy WordPress sites are), you are exporting “personally identifiable information”, or PII, of users in Europe to the United States. European law does not allow exporting of user PII unless companies can demonstrate they will protect European user’s privacy and data. About 15 years ago the USA and Europe came up with the US-EU Safe Harbor agreement which has allowed US companies to store European data legally. The agreement was invalidated by the European courts last week.
That means that if you store the PII of European members on your WordPress site on servers based in the United States, you may be open to lawsuits from Europe, although the impact of the decision is unclear at this point.
We recommend that you find out if your hosting provider or cloud host provider is aware of this change in European law governing data stored in the USA and what they’re doing about it. Your hosting provider may (like Amazon) already have agreements with member states in the EU that cover this change in European law.
If your hosting provider can’t provide clear guidance, monitor news about this issue over the coming weeks as it becomes clear what impact the European court decision will have. The rest of this article has more detail on what “safe harbor” is, why the change occurred, how larger companies are dealing with this issue and the options for smaller businesses at this time.
Europe is considered to have stricter privacy laws than the United States. Companies operating in Europe are not allowed to send user’s personally identifiable information (PII) outside Europe unless that data is adequately protected. Once that data is outside Europe, it can’t be shared with another company or organization, unless that organization has also demonstrated that they will adequately protect the data.
In the late 1990’s, the European Commission worked with the United States Department of Commerce to develop international safe harbor privacy principles that would allow US based companies to transfer customer data to the USA and store it, as long as they provided adequate protection for that data.
Their work resulted in what is known as the “US-EU Safe Harbor” program. The US Department of Commerce has been providing a streamlined process that allows companies to self-certify that they are in compliance with the program. Once certified, companies fall under the protection of the Safe Harbor agreement. You can find out more about this program on export.gov.
Last Tuesday the European Court of Justice held the US-EU Safe Harbor program as invalid. The effects of this are still being interpreted, so there is no need to panic if you are running a website and storing European customer data in the USA. We’re going to discuss why US-EU Safe Harbor was ruled as invalid and what this could mean going forward for site owners and publishers who store European member or customer data.
How Did Safe Harbor Get Invalidated?
Former NSA contractor Edward Snowden’s leaks have revealed that the US National Security Agency was spying on data held by American companies that belonged to EU citizens. An Austrian student, Max Schrems, filed a complaint against Facebook to the Irish Data Protection Authority. Schrems claimed that Facebook was not sufficiently protecting user data because, as Snowden leaks have shown, the NSA performs surveillance on technology companies.
His complaint was thrown out by the Irish Data Protection Authority. He appealed to an Irish court and the complaint was sent to the European Court of Justice (ECJ).
Last Tuesday, October 6th 2015, the ECJ came back and ruled that the US EU Safe Harbor Agreement is invalid because the US Government can access the data of European citizens and is not subject to the same safe-harbor standards as the companies storing that data.
This is an important verdict because the ECJ is making a clear statement that American companies can’t be trusted with user data because that data can (and has) been accessed by the National Security Agency and other intelligence organizations. Those organizations are not held to the US-EU Safe Harbor standards when they gain access to European customer data, and therefore the entire Safe Harbor agreement is invalid. The ECJ has effectively dropped a legislative bomb on international data privacy.
What Does This Mean?
The legal and information security community are still coming to terms with this decision. If you research the issue online you will find very little clear guidance as to where this leaves companies who are transferring customer data to US based servers. In theory it may seem that transferring EU customer data to US servers now breaks EU privacy law and makes US companies subject to lawsuits from EU plaintiffs. If that were true, the number of companies who are potential lawsuit targets is large.
To get around this tectonic shift in privacy law, larger companies like Amazon are using “model clauses” which are individual agreements with EU member countries that give those countries assurances that the company is operating within legal limits with regard to data privacy. These are complex and expensive for businesses to implement and are not practical for smaller businesses.
The Amazon case is interesting, because one effect of Amazon having a ‘model clauses’ agreement is that if you are an Amazon Web Services customer and are using their services to store your customer data, you may be safe from this breakdown in safe-harbor. Here’s the quote from Amazon:
“With our EU-approved [Data Protection Agreement] and Model Clauses, AWS customers can continue to run their global operations using AWS in full compliance with EU law,” an AWS spokesperson said in an emailed statement. “The AWS DPA is available to all AWS customers who are processing personal data, whether they are established in Europe or a global company operating in the European Economic Area.”
The question remains, if you are hosting a WordPress website and storing European customer data in the USA, what should you do about this?
As you can see from Amazon’s statement above, if you are using a hosting company that has their own EU approved Data Protection Agreement with EU member states, then you may very well be protected already. We suggest you contact your hosting provider or cloud provider and ask them if they’re aware of this change and what they’re doing about it. You might also check their blog.
If your hosting provider doesn’t provide clear guidance, there are unfortunately few options available besides taking a wait-and-see approach. If you visit the US Department of Commerce Safe Harbor website, they have a statement on the home page that says:
On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.”
In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.
This in effect says “We aren’t sure how this is going to play out. We’re doing business as usual. Talk to your lawyer. We are talking to ours.”
So at this point if you are storing European customer data on US based servers, we would recommend that you continue to monitor this situation as it evolves. Over the next few weeks some guidance will likely emerge from the Commerce Department and we will hopefully be back to business as usual – where companies doing business in the EU can register for US-EU Safe Harbor and safely store customer data in the USA.
As always, we welcome your comments below!
Addendum: Does the Wordfence security plugin for WordPress store any PII on US based servers?
Wordfence is based in Seattle, Washington as are our servers. As you probably already know, we provide the most popular security plugin for WordPress. Wordfence does not transfer user personally identifiable information (PII) from the sites we protect to our servers in the USA or elsewhere.
The Wordfence security plugin performs most of it’s functions and data storage on the WordPress server we are protecting. It communicates with our servers based in the USA to get data like the latest URL’s from the Google Safe Browsing list, to verify source code integrity and to check if a domain is a known source of spam or infections.
As part of it’s functions, Wordfence will occasionally transfer aggregated data to our servers for analysis when detecting spam, malware or attacks. This data can not be used to de-anonymize a site visitor or member.