U.S. business leaders now need to look at other legal mechanisms for the transfer of private data from EU countries since a European court struck down the 15-year-old EU Safe Harbor privacy framework. The European Court of Justice recently ruled that ubiquitous surveillance practices by the U.S. made the agreement invalid.
In October, CipherCloud held a panel discussion with industry experts to discuss the impacts of the ruling and to answer questions from an audience of more than 300 IT professionals. The common concerns the panel addressed included:
What will be the future of the EU Safe Harbor Agreement?
Over 4,000 Cloud Service Providers and other enterprises have self-certified under EU Safe Harbor to perform legal transfers and storage of EU data in the U.S. The European Commission and the U.S are working to complete a new Safe Harbor agreement by 2016 but, organizations should be aware that there are no guarantees on a timeline for a new agreement or that any new agreement might also be challenged (which many legal experts agree is likely). And there is a significant gap between the assurances of the Safe Harbor negotiators and regional Data Protection Agencies in countries like Germany, which announced they would immediately begin to investigate data transfers to the U.S. Bottom line – organizations need to think about how to limit their risk with or without a Safe Harbor agreement.
Are Model Clauses in provider contracts a viable substitute? What about Binding Corporate Rules?
Many cloud providers have started to offer EU Model Clauses in contracts to address the termination of Safe Harbor protections. Such legal statements may not satisfy all Data Protection Agencies across Europe (28 in total). In addition, many legal advisors and Data Protection Agencies themselves have pointed out that Model Clauses have some of the same issues as Safe Harbor – allowing exclusions for forced government disclosure. Binding Corporate Rules also present issues, since may advisory firms estimate that putting these in place can take more than 18 months and cost millions.
What about remote access of EU data from a non-EU country?
Even if a cloud provider data center resides in Europe business leaders need to be aware of the locations and citizenship of employees accessing data in the cloud. As the ongoing Microsoft/Ireland case has made it clear, who has access to data is as important as the location of data centers. In addition, many providers will have third-party relationships with other providers so even if an enterprise chooses providers with a European data center that alone is not a guarantee that data will not flow to other regions or to partners.
What can I do to limit my firm’s risk?
Data protection approaches that help companies comply with EU data privacy and residency regulations can also address Safe Harbor issues. Applying encryption and tokenization to anonymize data before it goes into the cloud can protect data transfers and also ensure that data that is processed in the cloud does not contain any personal or regulated data. CipherCloud has complied an extensive set of resources for U.S.-EU Safe Harbor issues and created a Global Compliance Center that details privacy and residency requirements for Europe and over 80 countries around the world.
Finally, firms can control and protect cloud data proactively by adopting a Cloud Access Security Broker that provides security and compliance across cloud applications like CRM, ISTM and File Sharing.