Using Cloud Services? What the End of Safe Harbor Means for EU Companies
It’s common knowledge that you shouldn’t leave sensitive data open to the public, but companies are willingly handing over private information in the cloud…even though they know it’s going to be under surveillance by foreign governments.
The rationale has always been that if there is a reputable safeguard like the Safe Harbor Act, then any cloud vendor must be safe to use, and it would never do anything with a customer’s information. However, after Edward Snowden’s disclosure of NSA surveillance programs in the United States, the premise of the Safe Harbor Act became complex, especially since it was routinely used by governments for surveillance. The European Court of Justice’s recent decision, though, has made its stance crystal clear: the entire Safe Harbor Act and its validity to protect European Union (EU) citizens’ privacy has been dismissed.
Guest article by Daniel Arthursson, CEO of Xcerion and CloudMe
Repercussions of No Longer Having the Safe Harbor Act
The court’s latest move brings up another interesting legal implication. With the current EU Data Protection Directive, every EU company needs to have a legally responsible data controller. The data controller is fully accountable for what happens with personal data, even if the data storage, or processing, is outsourced to a third party that later discloses that data.
As processing of data in the U.S. has been deemed insecure since a U.S. company cannot guarantee that a third party won’t be able to access data, any use of a U.S. service by an EU company will be a breach of the Data Protection Directive. The repercussion for the data controller in every company using a U.S. cloud service can be imprisonment of up to two years. This can leave anyone — from an end customer using SaaS services to EU SaaS services running their service on top of a U.S. cloud infrastructure — predisposed.
The court’s decision has clarified what the legislation really means for EU businesses, but from a legal liability perspective, we are still in the same predicament. Every company’s data controller is liable, including whatever the U.S. Government does once they have handed over the data to a U.S. cloud service. This will likely continue and extend to U.S. entities operating overseas: if you use and store information in an EU data center controlled by a U.S. entity that later discloses your company’s personal information to a third party, like the U.S. Government, you will also be liable.
Where Do We Go From Here?
As a company’s CEO or data controller, you need to adapt to the current situation in the EU. In reality, there is no way you can negotiate out of the European Data Protection Directive, and you cannot shift the liability to a U.S. service provider through any type of agreement, regardless of what your supplier says. You have no more protection against the continued use of U.S. services.
So what’s the definition of personal data, when it comes to what the data controller is responsible for? It refers to any data that relates to a living individual who can be identified from that data or other data handled by the data controller.
According to Skyhigh’s 2014 Cloud Adoption and Risk in Europe Report that looks at cloud service providers used by employees in European organizations, 74.3 percent of the providers did not meet basic security stipulations. This means that any organization sending personally identifiable information (PII) to these service providers is breaking the EU Data Protection Directive.
Where do you begin? For starters, review all cloud services your company uses and begin protecting privacy and personal data. Consider the following questions when doing this:
- Where is the cloud service provider’s data center, and where is my data stored specifically?
- Is any data stored or processed outside of the EU?
- Is my company’s European SaaS provider employing a U.S. cloud service like Amazon or Microsoft Azure as its platform for running their business?
- Who has the controlling stake in the cloud service my company uses, and is it majority controlled by U.S. interests?
If the answer to any of the above questions is ‘Yes,’ then you are liable of breaching the European Data Protection Act if you handle any personal data.
European companies have an enormous challenge ahead, and Europe is missing many crucial services provided by U.S. companies. Many new data centers, cloud infrastructure companies, and SaaS services need to be rebuilt or improved within the EU in order to allow a transition into legal compliance by its companies.
As we look forward, we’ll see a growing demand for European cloud and sync storage services that can meet the demands of EU companies and abide by the European Data Protection Directive. This move to European data centers will certainly take months to complete — and a great deal of gray area still remains.
The court’s decision has proved to Europeans that the Safe Harbor Act certainly didn’t protect them. However, the European and U.S. governments still need to determine where exactly this leaves its companies in the wake of the decision.
During the last 18 years, Daniel Arthursson has been running cloud-related companies, and has founded CloudMe.com, CloudTop.com, iCloud.com and brands like MyCloud.com. He is an inventor or co-inventor of 16 US patents related around the network operating system, and is the CEO of the Xcerion and CloudMe companies.