Topic: Safe Harbor and Email Servers

[mmccarn]

I have 50 - 60 users in London and Amsterdam who keep their email on my mail server here in the US.

Can anyone tell me how this arrangement is affected by the the ECJ (European Court of Justice) ruling on 10/6 declaring that 'Safe Harbor' is invalid?

Do European privacy restrictions extend to the operation of my corporate mail servers?

Thanks in advance...

[CharlieBrady]

Better get a lawyer, son....

[guest22]

Do European privacy restrictions extend to the operation of my corporate mail servers?

Yes it does. But you are not the only one with this problem atm. All the giants (MS, FB, Tw, Google, Apple, Evernote etc etc and all others) face a 'giant' problem right now.

This topic has drawn much attention, and only the EU and USA can work this out. Not us on micro level.

Having said that, the ruling was on based on a case regarding a private person, not a corporate user. If a US company's employment contracts states that all data is corporate property (if possible) then it would be a different story.

[ReetP]

I have 50 - 60 users in London and Amsterdam who keep their email on my mail server here in the US.

Can anyone tell me how this arrangement is affected by the the ECJ (European Court of Justice) ruling on 10/6 declaring that 'Safe Harbor' is invalid?

Do European privacy restrictions extend to the operation of my corporate mail servers?

Thanks in advance...

Safe Harbor was generally meant to mean if someone in the Europe stored data in the US it would not be touched or subject to US laws and vice versa.

Although everyone knew that in practice this was just so much fluff and nonsense, Mr Snowden put it clearly out in the public domain that the US basically ignored the agreement (and I daresay EU nations did likewise) and abused it's privileges with wholesale data collection from foreign nations without a by your leave. Technically Safe Harbor would have meant that your clients data could not be touched by Europe whilst stored on your servers in the US.

But for it to apply I believe you had to be signed up to it in the first instance, which I would guess you and your clients had not done, so it probably didn't apply anyway.

Ironically it is Microsoft that is fighting the US government over access to data stored on its Irish (tax avoiding) servers saying the US has no jurisdiction over them.

Quite frankly the whole thing is one big sorry mess and a road accident that has been waiting to happen for years. The politicos are going to have to fix it somehow or other though likely as not they'll try and sweep it under the carpet and it'll be SNAFU.

Remember that due for various historical reasons the bar on privacy is 'technically' set at a much higher level in the EU than in the US - even if in practice it isn't the case (GCHQ put paid to most of it !). Your clients probably have much less legal privacy protection on your side of the pond than we do on this. Plenty of reading on the subject via searches - see something like "eu privacy vs us"

So you probably need a good lawyer (as Charlie mentioned !) and confirm that your clients are happy to have any data stored on your servers subject to US legislation (and spying/data collection). Which they might not be so happy about

All naturally IMHO and not to be considered legal advice in any shape way or form !

B. Rgds
John

[mmccarn]

Thanks.

But for it to apply I believe you had to be signed up to it in the first instance

I had not realized that Safe Harbor is a separate gov't program requiring an application and sign-up fees.

As such, I doubt that it's nullification by the ECJ affects me as much as I feared.

Better get a lawyer, son....

Heh.  For better or worse I'm only the server admin.

This topic has drawn much attention, and only the EU and USA can work this out. Not us on micro level.

This is the attitude we've been taking to date, and now that ReetP has pointed out that we were never affected by Safe Harbor I'll probably continue along this path.

I'll point out to the network admin in London that continued use of Google Analytics on their web server may pose a problem...

[ReetP]

Thanks.
I had not realized that Safe Harbor is a separate gov't program requiring an application and sign-up fees.

As such, I doubt that it's nullification by the ECJ affects me as much as I feared.

The judgement doesn't but you really ought to think very carefully about your clients and their concerns regardless. Are they happy that their data is stored subject to US privacy laws ? You probably ought to try and have something in your contract wording to that effect.......

Heh.  For better or worse I'm only the server admin.

LOL.... and jack of all trades like the rest of us !

This is the attitude we've been taking to date, and now that ReetP has pointed out that we were never affected by Safe Harbor I'll probably continue along this path.

I'll point out to the network admin in London that continued use of Google Analytics on their web server may pose a problem...

Indeed - very wise. It is an extremely tangled web. Most of us probably have no idea where half our data is stored and what laws it may or may not be subject too.

Even worse is when you read stuff like this -  it woke me up :

http://www.makeuseof.com/tag/two-ways-your-isp-is-spying-on-you-and-how-to-be-safe/

http://amibeingtracked.com/
http://lessonslearned.org/sniff

B. Rgds
John

[mmccarn]

You probably ought to try and have something in your contract wording to that effect......

In this instance I am covered from a contractual standpoint.

While I was once a consultant for the organization in question, I am now a full-time employee.  The board of directors dictated when opening the first overseas office in 1992 that all email would be stored in our office in Washington, DC.

So - the all managers and most of our users are aware that their email 'lives' in the US, and that it will continue to do so until the board decides otherwise.  Our users also know that email is not to be considered a secure medium, and they should not be emailing donor contact or financial details either internally or externally.

I wonder if now or at some future point I'll need to have my mail server tell senders that it's in the US... or will it be enough that any geoip service or whois lookup would tell them where our mail server is located...

Even worse is when you read stuff like this -  it woke me up :

http://www.makeuseof.com/tag/two-ways-your-isp-is-spying-on-you-and-how-to-be-safe/

Yeah - I'm a Verizon 'subscriber'.  Several years ago they started bouncing some of my outbound emails - usually when I was trying to hold an email discussion about a specific spam message - because their spam filter had tagged them as spam. 

I asked who managed their spam filter and they replied 'an outside organization'.  When asked which organization I was told 'we are not allowed to tell you'.

I reconfigured my home server to relay outbound email via smtps through my web hosting company...