In October, the European Union’s highest court struck down the “Safe Harbor” Privacy Principles, a provision that allowed for the sharing of European personal data between the EU and U.S. The verdict is meant to preserve EU citizens’ inherent right to privacy given the reality of U.S. national security laws, specifically The Patriot Act, which provide the NSA nearly unilateral access to data managed by U.S. companies.
While this may be a win for privacy advocates, it has left almost 5,000 companies with no clear solution for legally transferring data between Europe and the U.S. Temporary workarounds such as the use of Model Clauses are inefficient, and are currently operating in a legal grey area until regulators take a firmer stance on acceptable practices. In this slideshow, Accellion outlines the top five lessons businesses need to learn from Safe Harbor, as well as how they can apply them to their business strategy.
Safe Harbor Is Sunk: What Have We Learned?
Click through for the top five lessons businesses need to learn from Safe Harbor, as well as how they can apply them to their business strategy, as identified by Accellion.
Keep Track of Your Data (Geographically)
If you are leveraging the cloud, know where your data is being stored, who manages your data and who could potentially access it. This is critical information to consider when establishing a data sharing/storage framework. Companies in the EU who didn’t know that their data was being stored in (or transferred through) the U.S. are now at a crossroads.
With just three months to comply with the European Court of Justice’s landmark ruling, companies need to immediately revisit how they store and share data. While it is expected that data storage providers will scramble to create European data centers capable of complying with the new legislative environment, companies can expect to suffer costly periods of business disruption. As an alternative, enterprises should look toward localized storage solutions that are either privately owned or maintained on-premise. These solutions offer complete data sovereignty, and fully comply with geographic data segregation requirements.
Keep Up on – and Anticipate – Legislation
The invalidation of the Safe Harbor agreement is a stark reminder of how crucial it is for business leaders to keep up with legislation at home, and internationally. By staying informed on legislative developments, organizations can avoid the costly mistake of being caught unprepared. No company operates in a bubble.
The key to applying this lesson is simple: Read the news and ask questions. Identify the top 10 publications that track news of relevance to your industry, and make a habit of monitoring for developments related to legislation that currently impacts or could potentially impact your business’ day-to-day operations. For example, does the Cybersecurity Information Sharing Act (CISA) stand to upend your customers’ trust of your organization? Include in your daily news scan searches for relevant legislation, regulatory agencies, or congressional committees so that you can be an active participant in the debate, not just an affected party. Setting up a Google alert with key search terms is a great way to stay on top of the news that matters most to your business.
Know the Timeline
Now that businesses are scrambling to accommodate these new privacy protections, understanding the timeline is crucial.
Again, the EU recently announced they would be giving companies a three-month grace period to establish compliance with new data sovereignty requirements. This means that by the end of January, European personal data cannot be processed or stored in the U.S. It also means that regulators plan to prosecute companies that fail to comply. This is not a case of empty words, and by issuing a deadline, the EU shows that they mean business. The countdown has begun, and CIOs need to be sure to mark their calendars and implement a solution ahead of the deadline, or suffer the consequences.
Consider Your Options
The fall of Safe Harbor has shown the technology industry that one cloud does not fit all. Previously, concerns about data sovereignty were exclusive to highly regulated industries, such as legal, health care, financial services and government. This is no longer the case, as the EU has ruled that the principles of data sovereignty are inherently connected to privacy.
Enterprises need to learn what cloud options they have, as well as the benefits of each. Oftentimes, the term “cloud” is associated with something outside the reach of the company, but this isn’t always the case. Companies can own their own cloud, via private and on-premise solutions, retaining not just legal, but physical ownership of their data. The collapse of Safe Harbor will lead to many more companies investigating these previously niche solutions as a way of complying within the new global technology landscape.
Know What’s Next
The significance of the rejection of the long-standing Safe Harbor agreement is undeniable, but it won’t mean much if Microsoft loses its long-running dispute with the U.S. government over emails stored in an Irish data center. The Microsoft case revolves around the government’s right to access emails stored on foreign soil, with Microsoft arguing that the United States’ jurisdiction does not extend into Ireland. Should Microsoft lose its appeal, the message will be clear: Ownership of the data center, and not ownership of the data, will be the determining factor for government access. That means technology giants like Amazon and Microsoft will have no legal basis for denying access requests from the U.S. government, regardless of whether the data is, or has ever been, held within U.S. borders.
Companies need to establish a contingency plan in the event that Microsoft loses its legal battle with the U.S. government. Experts have already been discussing how the Safe Harbor ruling could be applied in this instance, claiming U.S. access to EU data violates a core right, but these arguments are purely theoretical. In the meantime, investment in private cloud infrastructure is necessary as long as data security and privacy are a priority. As government agencies try to expand their reach further than ever, only by confining key assets to an on-premise, private cloud can organizations best mitigate the risk of government intrusion.
