Your Cloud and the US ‘ safe harbor ‘ provision. Not so ‘safe’?


Why are the long standing US safe harbor privacy data jurisdiction provisions now suddenly ‘not-so-safe harbour’ provisions?

Mr Max Schrems, an Austrian national and digital activist was concerned that Facebook could not guarantee his privacy as his personal data was located  in the U.S.

He lodged his complaint to the Irish High Court (Facebook is registered in Ireland). In turn, the Irish High Court referred the case to the European Court of Justice (ECJ) for a ruling.

On the 6th October, the ruling of Maximillian Schrems v. Data Protection Commissioner (C-362/14) resulted in the long standing safe-harbour agreement being struck down.

U.S. Cloud no longer under ‘Safe Harbor’

Put in place some 15 years ago, the U.S. – European Union (EU) ‘safe harbour’ agreement  was intended  to overcome the different approaches to managing on-line privacy between the U.S. and the EU.

In essence, EU resident’s personal data (including personnel records of employees) could be transferred to the U.S. provided that the U.S. firms implemented security and privacy controls that met, or exceeded the requirements of the EU’s data-protection directive (i.e. “safe harbor”).

The European Court of Justice’s October 6th ruling has significant implications for any organisation that deals with private data involving EU subjects where the data is located in the jurisdiction of the U.S.

Old laws for the new world?

Since the U.S. – European Union (EU) safe-harbor agreement was established, the digital world has fundamentally changed.  Since 2000, the volume of digital traffic globally has exploded, fuelled by the uptake of Cloud and related internet services – many of which are based, or at least co-located in the U.S.

The reality is that legislating in areas such as data retention, data breach or privacy in our fast-moving and shadowy digital world is a constant struggle.  For any legal and regulatory mandates to be effective, they rely on considerations such as the deterrence factor, the protections afforded under the law, and the practicalities of enforcing the law.The effectiveness of all three is to be questioned in our volatile, borderless, digital world when it comes to data security.

However, in the case of this long standing EU – U.S. safe harbor provision, this legislation has underpinned the growth of U.S. based Cloud and other IT outsourced services, where the data is located in the U.S.

Remove that ‘protection’, what’s the problem?

Business Implications – What implications?

Any company that has been relying on the U.S.-EU Safe Harbor certification for their business is directly affected by this ruling.

“….pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.” ~ Court of Justice of the European Union – PRESS RELEASE No 117/15

While this ruling specifically cites the services offered by Facebook, the striking down of the safe harbor provisions has a direct knock-on effect for other organisations and individuals.

The bottom line:  Any business that deals with data subject to privacy legislation – whether they be a Cloud / IT services provider or client organisation – need to carefully assess their exposure in respect of this ruling.   Your cloud provider’s supply chain may hide the fact that you may be impacted.  Better to know the facts than assume.

NSA leak’s taking the puff out of Cloud? Doubt it.

Pay careful attention to the nest of contractors and other providers running your Cloud – if you can. Especially under the watchful eye of the NSA

The long arm of the National Security Agency has shaken the apparent inviolability of confidentiality offered to organizations with overseas operations by U.S.-based (or …

Continue reading

Clash of the Cloud Titans

As prices fall, driven down by the global cloud giants, the cloud market is on the brink of major disruption. What can business executives do to mitigate the risk that their organization will end up as road-kill in a cloud market shake-up?

In a recent report, Global Trends 2030: Alternative …

Continue reading

Don’t let your Cloud be your business success trap

You may find yourself with a beautiful cloud ecosystem epitomising the latest in the field of emerging technology. You may think you no longer need an IT department. Think again, very carefully.

Right now, some organizations are discovering that getting their various enterprise software-as-a-service (SaaS) systems to play together nicely …

Continue reading

Governments and Cloud Computing?

The whole topic of cloud computing has been dominating the IT agenda. Conversations have been very intense in 2012 – we were barraged by new opinions, fuelled by new cloud product offerings and innovative, compelling solutions.

Given the inconsistency in the maturity of understanding across industry as to the intrinsic …

Continue reading

Who serves your Cloud service providers?

It’s easy to sign up for cloud services. Managing and integrating them . . . not so much. Are cloud service brokers the answer?

Starting your enterprise’s cloud journey is the easy part.  Implementing a stand-alone cloud application is relatively painless, and almost immediately yields significant cost and productivity benefits.…

Continue reading

Their Business, Your Risk

As the cloud market matures, it’s important for CFOs to understand the cloud-provider business model and track their business risks. If your provider is heading for trouble, so are you.

Security, privacy, location of data, total cost of ownership, lack of standards, and vendor lock-in are just a few of …

Continue reading

5 traps in your SaaS Contract

Most Business Executives today know all about security risks, and the importance of data privacy in the cloud. But it’s what you don’t know that can hurt you.

In “10 Things You Just Gotta Have in Your Cloud Contract,” I covered a range of things (10, as a matter of …

Continue reading

The tripwire on the way to your Hybrid Cloud

Organisations that have successfully implemented standalone enterprise cloud software systems soon come up against some of the realities of integration these standalone systems to their other enterprise systems, cloud or otherwise. It soon becomes apparent that the challenges of managing the increasingly complex ecosystem are not trivial. Cloud, being one …

Continue reading

When Clouds Collide

In the hybrid cloud, the risks that arise from Shadow IT become systemic. That means they affect every aspect of the business. So CFOs better know how to keep those risks manageable.

As the cloud carnival slowly makes its way through town, organizations (fortunately) are becoming increasingly aware of many …

Continue reading

IT Risk: Your Audit Checklist

Your auditors worry about the cloud. So should you. As your organization begins its cloud flight, has it fastened its auditing seatbelts? Here’s a seven-step check-list to ensure a safe landing. Buckle up.

The broad and rapid adoption of cloud computing by all sorts of businesses and organizations is quickly …

Continue reading

Four Barriers to Cloud Due Diligence

Public cloud computing comes with a range of potential risks – many of which may not be that apparent at first glance. Mitigating them takes work, but that’s better than crossing your fingers and hoping you’ll get lucky.

As a business Executive overseeing your organization’s transition to cloud, how can …

Continue reading

Cloud and the challenge of cross-platform system management

For most organisations, enterprise IT systems often involve multiple databases all using different technologies and services. In an on-premise setup it’s relatively straightforward to integrate all the components of various databases as they are all located on the same infrastructure. The challenge of integration arises when those databases are distributed …

Continue reading

Cloud vs. Regulators – Who wins?

With the arrest of the  German national Kim Dotcom (aka Kim Schmitz)  – Owner and operator of the widely used site in Auckland, New Zealand, on 20 January 2012 in a raid requested by the US Federal Bureau of Investigation, should raise some obvious and interesting questions in relation …

Continue reading