• The 15-year old Safe Harbour agreement between the EU and US was effectively thrown out by the Court of Justice of the EU (CJEU).
• US companies (and all MNCs) are now vulnerable to litigation and loss of customers over privacy concerns.
• While authorities have been tasked with coming up with an alternative by January, that is highly unlikely. Enterprises may need managed security and cloud providers to secure customer data in specific jurisdictions.
October 6 Decision
The CJEU, which interprets EU law to make sure it is applied in the same way in all EU countries, ruled that the Safe Harbour agreement in place for the last 15 years between the European Commission and US authorities did not offer the necessary legal guarantees that it was supposed to have. This ruling erased the quasi-legal framework under which US companies have been handling their EU customers’ data, potentially creating a legal minefield.
The case handled by the CJEU came out of the High Court in Ireland, in which a Facebook user from Austria had filed a complaint to the Irish Data Protection Commissioner regarding the US-based social media company’s handling of his personal data. His argument, in effect, was that the revelations of widespread government surveillance published by Edward Snowden showed that data held by US companies could not be kept secure to EU standards. When the Irish commissioner dismissed the complaint, the case went to court, landing in Luxembourg at the CJEU because of the clear EU-wide implications. With Safe Harbour no longer safe, data protection authorities across the EU have given the European Commission and national governments three months to come up with an alternative.
Fallout from the Ruling
For now, US companies that signed up to Safe Harbour are no longer legally entitled to use European customer data, potentially making them vulnerable to litigation. The issue of data security is high on the agenda of some consumers these days. US businesses held under suspicion are also vulnerable to a significant loss of customers. To deal with the new reality, US businesses may need to host customer data locally in all of the jurisdictions in which they operate, according not just to EU but also to national regulations. To say that it’s a scenario that multinationals have tried to avoid is an understatement. But at the same time, cloud and hosting services around the world have been preparing for it, building Tier III/IV data centers with the ability for dynamic local storage location management.
Security as a Service
Beyond regional hosting on premises or in the cloud, vendors and service providers offer data security services to assist MNCs in navigating the potential quagmire. If consumers are going to do business in the future only with the brands they trust, companies need policies, processes and systems in place that help prove that trust is well-placed. Managed security service providers have developed extensive expertise in governance, regulatory and compliance (GRC) matters, and stand at the ready to assist with assessments and plans. Those with their own (or partner) cloud services can propose a solution to implement and manage, not just provide advice.