Safe Harbour is Dead – What Now for European Businesses?
Cloud computing has revolutionised the way that businesses operate, allowing them to take advantage of virtually limitless processing and storage capabilities using Internet-hosted infrastructure. The global nature of the Cloud means that corporate data is transferred automatically between data centres across the world to increase availability and minimise operators’ running costs.
In the past, US companies self-certified compliance under the ‘Safe Harbour’ agreement to demonstrate their adherence to EU standards of personal data protection. The Safe Harbour agreement allowed businesses to host their corporate data in the Cloud using US-based services, transferring data outside EU borders (which was otherwise forbidden).
All this changed on the 6th October however, when the European Court of Justice ruled that the Safe Harbour data sharing agreement was invalid, immediately throwing the entire industry into disarray. Transferring data outside EU borders using providers that were self-certified under Safe Harbour agreements became illegal instantly.
A stop-gap that doesn’t work
Initially European Commission officials tried to reassure affected organisations that they could continue “as normal” if they could either:
- Negotiate a new contract with each Cloud provider that introduced binding corporate rules covering data protection, or
- Secure ‘unambiguous and informed’ consent from each data subject (the individual whose data is to be transferred).
On the face of it, either option would seem to comply with the EU legislation regarding proper handling of personal data. After the ruling an Article 29 Working Party was appointed to look at the issue, agreeing that they would accept that either of these suggestions were valid stop-gaps until the end of January 2016 when they would announce their own definitive advice.
That was until the German regulator broke ranks. The German data protection registrar announced immediate audits of US subsidiaries operating in Germany to check that they are not sending data outside the EU contrary to the recent ruling. The regulator also declared re-negotiated service contracts as insufficient protection for individuals and would therefore be invalid. Worse still, the German data protection registrar will not accept personal consent as an acceptable alternative, overruling the other members of the Article 29 Working Party.
This disagreement leaves the rest of Europe with a problem, as there must be consensus between member states about legal issues governing the Union.
The only way forward
At this point, the only way to avoid problems with data regulators is to move away from US-based Cloud services with immediate effect. Many service providers use EU-based data centres, and businesses need to ensure that their data is stored in them, and never crosses EU borders.
Where providers do not offer EU-only storage and processing, customers will need to switch to an alternative provider who can offer an EU-only service. In this way, all parties can be sure that private information is not crossing EU borders illegally.
The situation may change again next year when the Article 29 Working Party delivers its recommendations, but until that time, businesses still risk being prosecuted for breaching data protection rules.