On the 6th October 2015, the European Court of Justice issued a decision that has profound implications for any business using US-based Cloud services. The ruling effectively outlawed the “Safe Harbor” agreement, which was used by US companies to remain complaint with EU law regarding handling of personal data.
So why is the death of Safe Harbor actually a very big deal, and what does your business need to do about it?
What changed with the data protection agreement?
Under the current European data protection legislation, it is illegal to transfer personal data beyond EU borders. However, the European Union agreed to a compromise called “Safe Harbor”, an agreement that US businesses who could certify that they met various data protection guidelines would be allowed to transfer data for storage and processing in the US without risk of prosecution.
For many years, the Safe Harbor agreement seemed to be effective. By replicating information to datacentres in the US, British businesses could take advantage of the Cloud software tools they needed.
However, revelations about surveillance by the NSA, and apparent complicity by some US-based Cloud providers in exposing personal data to the agency, led the European Court of Justice to revisit the Safe Harbor agreement. After investigation, it was decided that Safe Harbor was not providing the levels of protection promised for EU residents, and was thus ruled invalid with immediate effect.
What now for Cloud-based data regulations?
Following the ruling, the EU announced that further investigation was needed to decide whether it would be possible to agree an enhanced Safe Harbor-style agreement. A working party has been convened to look at the issue, and a three-month stay agreed, during which time businesses will not be prosecuted for continuing to use systems and services that transfer data to the US, up until the end of January 2016.
Initially the working party agreed that businesses could get around the problem by creating new, legally binding agreements with every service provider that enforced EU data protection expectations. This could then be combined with the explicit permission of every individual to have their data processed outside the EU.
However, the German data commissioner has greatly confused the issue, by refusing both these workarounds as unacceptable. They are also ignoring the agreed three-month wait, launching immediate investigations into several businesses they believe have been syncing data to the US using Cloud services.
The workable business Cloud-data usage solution
With EU commissioners already unable to agree on how best to approach the transfer of data outside Union borders, the future is anything but clear. The working party may yet come up with a solution that gets around the data transfer problem and allows the use of US-based Cloud systems once more – or they may not.
For your business now, the safest choice is to switch to Cloud storage services from UK-based providers using only EU datacentres – like Cloud Drive from Broadband Cloud Solutions. Businesses already using Cloud services will need to check where their data is currently stored, and if it is in US datacentres, arrange for it to be repatriated as soon as possible.
Taking this approach ensures that data remains within EU borders whilst still allowing your business to benefit from all the expected Cloud-usage benefits of improved flexibility, greater efficiency and lower costs. For more information and advice on using the Cloud successfully for your business, you can contact our expert team at Broadband Cloud Solutions today.
Leave a Reply
