On October 6, the EU ruled that the 15-year-old Safe Harbor Agreement between the U.S. and Europe is invalid. The agreement had allowed American companies to move the data of European citizens freely to the U.S. under the rationale that American data protection equivalent to EU standards. From large enterprises like Facebook and Google to cash-strapped startups, companies have been able to self-certify their internal data security, allowing them to move, store, and process information without border restrictions. But, come January 2016, that will no longer be possible.
That gives US companies precious little time to find new legal and technological compliance solutions. All corporations engaging in overseas transactions, but especially small businesses, must address the cost and complexity of compliance. Many American companies use inexpensive cloud hosting or Software as a Service that stores or processes data in other countries. Tech startups are especially vulnerable — including anyone leveraging cloud services that deal in data exchange or analysis. It’s not yet clear what new rules will replace Safe Harbor, but it’s a safe bet that companies will need to develop new methods to protect their data.
Here are four solutions both small businesses and larger enterprises should look into:
1. Binding agreements and model contracts
Binding agreements and model contracts have been used as Safe Harbor alternatives, and the latest ruling does not invalidate them. Binding agreements are big, complex legal documents, governed by auditing and training. They’re robust because they show a company adheres to the highest standards of data protection, but they’re not a viable option for smaller businesses.
Model contracts are a better alternative for small businesses. These standard agreements are used to authorize moving data out of the European Economic Area or EEA (EU, along with Norway, Iceland, and Liechtenstein). Companies need to use model contracts as the basis for data sharing agreements with all their partners and contractors who provide them EEA data or process it for them. A model contract isn’t enough, however; businesses still need to audit their data infrastructure and implement privacy protection for EEA data.
2. Tokenization: Useful, but not for all data
Because of the new rules, transferring data out of Europe paradoxically exposes it to more stringent regulations. Tokenization gives American businesses a way to benefit from EEA data without moving it out of Europe. It works by replacing a string of protected data with a random string of characters. The original data remains in a protected database (for example, one located in the EU), while the token is sent on. For example, American companies can tokenize customer names and addresses but import other information, such as analytic data.
3. Encryption: Creating a necessary shield for all data
Encryption uses an algorithm to obfuscate data, turning it into unreadable blobs — unless of course, you have the proper key. Parties with the key can decrypt the data, but no one else can read it. Encryption can be used to protect all your data or combined with tokenization to shield personally identifiable values in the raw data. Whatever other data protection measures you use, encryption will always add an extra layer of security.
Organizations should use strong encryption — encryption using long keys — to protect their data. Likewise, they should also use end-to-end encryption for data in motion. End-to-end encryption scrambles your data before it is sent and only unscrambles it at its destination, preventing hackers or government agencies from spying on it in transit. This protects it from security vulnerabilities that allow hackers to attack other encryption systems, such as SSL/TLS. Organizations need to make sure their data is protected both in motion and at rest, such as when it is stored in the cloud or on a computer.
Encryption key management can also be used strategically to meet data privacy requirements. For example, an American company could protect EEA data with keys only accessible by contractors or partners in the EEA.
4. Anonymization: Making data identity neutral
The EU counts any data that can be linked to an individual as personally identifiable data. This applies even if only non-identifiable data is sent to the U.S. For example, if an American business receives a spreadsheet of an EU customer’s buying habits without information about the customer’s identity, it counts as personal data if there’s a database in Europe with enough information to figure out the customer’s identity.
Anonymization complies with European privacy requirements by making it impossible to link data to an individual person. One method is aggregated data. A record from a streaming service saying “European customer X watched these five episodes on the first weekend in May,” could violate compliance, for example, but a spreadsheet showing the popularity of those episodes on that weekend across Europe couldn’t.
You can also anonymize by destroying some of the original data. For example, if you were studying web analytics, you might be able to send individual profiles of visits to a website, provided you had no way to recreate or track customer IDs.
Business goes on without safe harbor
The Safe Harbor ruling is inconvenient for small businesses, but it’s not a disaster. By signing model contracts and protecting data with encryption, tokenization, and anonymization, companies can comply without spending a fortune. And in the long run, it’s for the best. In spite of the temporary chaos it has caused, the ruling has moved the world one step closer to an International standard of privacy, where everyone’s data is secure by default.
John Ackerly is CEO and cofounder of encrypted email service Virtru.