Why are the long standing US safe harbor privacy data jurisdiction provisions now suddenly ‘not-so-safe harbour’ provisions?
Mr Max Schrems, an Austrian national and digital activist was concerned that Facebook could not guarantee his privacy as his personal data was located in the U.S.
He lodged his complaint to the Irish High Court (Facebook is registered in Ireland). In turn, the Irish High Court referred the case to the European Court of Justice (ECJ) for a ruling.
On the 6th October, the ruling of Maximillian Schrems v. Data Protection Commissioner (C-362/14) resulted in the long standing safe-harbour agreement being struck down.
U.S. Cloud no longer under ‘Safe Harbour’
Put in place some 15 years ago, the U.S. – European Union (EU) ‘safe harbour’ agreement was intended to overcome the different approaches to managing on-line privacy between the U.S. and the EU.
In essence, EU resident’s personal data (including personnel records of employees) could be transferred to the U.S. provided that the U.S. firms implemented security and privacy controls that met, or exceeded the requirements of the EU’s data-protection directive (i.e. “safe harbour”).
The European Court of Justice’s October 6th ruling has significant implications for any organisation that deals with private data involving EU subjects where the data is located in the jurisdiction of the U.S.
Old laws for the new world?
Since the U.S. – European Union (EU) safe-harbour agreement was established, the digital world has fundamentally changed. Since 2000, the volume of digital traffic globally has exploded, fuelled by the uptake of Cloud and related internet services – many of which are based, or at least co-located in the U.S.
The reality is that legislating in areas such as data retention, data breach or privacy in our fast-moving and shadowy digital world is a constant struggle. For any legal and regulatory mandates to be effective, they rely on considerations such as the deterrence factor, the protections afforded under the law, and the practicalities of enforcing the law.The effectiveness of all three is to be questioned in our volatile, borderless, digital world when it comes to data security.
However, in the case of this long standing EU – U.S. safe harbour provision, this legislation has underpinned the growth of U.S. based Cloud and other IT outsourced services, where the data is located in the U.S.
Remove that ‘protection’, what’s the problem?
Business Implications – What implications?
Any company that has been relying on the U.S.-EU Safe Harbour certification for their business is directly affected by this ruling.
“….pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” ~ Court of Justice of the European Union – PRESS RELEASE No 117/15
While this ruling specifically cites the services offered by Facebook, the striking down of the safe harbour provisions has a direct knock-on effect for other organisations and individuals.
The bottom line: Any business that deals with data subject to privacy legislation – whether they be a Cloud / IT services provider or client organisation – need to carefully assess their exposure in respect of this ruling. Your cloud provider’s supply chain may hide the fact that you may be impacted. Better to know the facts than assume.
Pay careful attention to the nest of contractors and other providers running your Cloud – if you can. Especially under the watchful eye of the NSA
The long arm of the National Security Agency has shaken the apparent inviolability of confidentiality offered to organizations with overseas operations by U.S.-based (or …
As prices fall, driven down by the global cloud giants, the cloud market is on the brink of major disruption. What can business executives do to mitigate the risk that their organization will end up as road-kill in a cloud market shake-up?
In a recent report, Global Trends 2030: Alternative …
You may find yourself with a beautiful cloud ecosystem epitomising the latest in the field of emerging technology. You may think you no longer need an IT department. Think again, very carefully.
Right now, some organizations are discovering that getting their various enterprise software-as-a-service (SaaS) systems to play together nicely …
The whole topic of cloud computing has been dominating the IT agenda. Conversations have been very intense in 2012 – we were barraged by new opinions, fuelled by new cloud product offerings and innovative, compelling solutions.
Given the inconsistency in the maturity of understanding across industry as to the intrinsic …
It’s easy to sign up for cloud services. Managing and integrating them . . . not so much. Are cloud service brokers the answer?
Starting your enterprise’s cloud journey is the easy part. Implementing a stand-alone cloud application is relatively painless, and almost immediately yields significant cost and productivity benefits.…
Maybe it only seems that nature is becoming more violent. But CFOs still need to mitigate the business risks of natural disasters with robust disaster-recovery strategies, and the cloud — sensibly leveraged — may offer a scalable, cost-effective way to do just that.
Hurricane Sandy was an awful, albeit salutary, …
As the cloud market matures, it’s important for CFOs to understand the cloud-provider business model and track their business risks. If your provider is heading for trouble, so are you.
Security, privacy, location of data, total cost of ownership, lack of standards, and vendor lock-in are just a few of …
Most Business Executives today know all about security risks, and the importance of data privacy in the cloud. But it’s what you don’t know that can hurt you.
In “10 Things You Just Gotta Have in Your Cloud Contract,” I covered a range of things (10, as a matter of …
Organisations that have successfully implemented standalone enterprise cloud software systems soon come up against some of the realities of integration these standalone systems to their other enterprise systems, cloud or otherwise. It soon becomes apparent that the challenges of managing the increasingly complex ecosystem are not trivial. Cloud, being one …
In the hybrid cloud, the risks that arise from Shadow IT become systemic. That means they affect every aspect of the business. So CFOs better know how to keep those risks manageable.
As the cloud carnival slowly makes its way through town, organizations (fortunately) are becoming increasingly aware of many …
Your auditors worry about the cloud. So should you. As your organization begins its cloud flight, has it fastened its auditing seatbelts? Here’s a seven-step check-list to ensure a safe landing. Buckle up.
The broad and rapid adoption of cloud computing by all sorts of businesses and organizations is quickly …
I this brief article, I’d like to explore one aspect on the topic of a ‘Cloud Strategy’ in the enterprise.
Here, I’m going to focus on the non-trivial, enterprise Cloud – which is applicable mainly to the SaaS level (Software as a Service), as this is where the complexity lies, …
In “Four Barriers to Cloud Due Diligence,” I explored a few factors that contribute to the complexity of performing due diligence on a cloud vendor.
When an enterprise moves to the cloud, it hands off its servers, networks, and even its data to its provider. All that it’s left with …
Public cloud computing comes with a range of potential risks – many of which may not be that apparent at first glance. Mitigating them takes work, but that’s better than crossing your fingers and hoping you’ll get lucky.
As a business Executive overseeing your organization’s transition to cloud, how can …
When pricing cloud versus on-premise applications, CFOs need to beware volume escalators.
As cloud computing is still very much at the peak of the Gartner Hype Cycle (and very much on the mind of CFOs), it’s worth examining how cloud computing can add both complexity and cost to what should …
As a CFO, why should you be concerned about your cloud provider’s data centre? Isn’t not having to think about the data centre — about all those boxes and wires, vents and air conditioners, landlords and leases, staff and security, access and uptime — one of the reasons you moved …
Cloud computing and disaster recovery can make for a stormy marriage. The best intentions — and a robust business continuity plan — may not be enough to save you from an expensive divorce.
Cloud computing — and the cloud-computing business model — is maturing at a rapid pace with new …
For most organisations, enterprise IT systems often involve multiple databases all using different technologies and services. In an on-premise setup it’s relatively straightforward to integrate all the components of various databases as they are all located on the same infrastructure. The challenge of integration arises when those databases are distributed …
With the arrest of the German national Kim Dotcom (aka Kim Schmitz) – Owner and operator of the widely used site megaupload.com in Auckland, New Zealand, on 20 January 2012 in a raid requested by the US Federal Bureau of Investigation, should raise some obvious and interesting questions in relation …