The ruling won’t stop companies from transferring data to the US, but as controller of your UK and European customer data, businesses need to ensure that each one has the right to privacy - and storing on a US server cannot offer this, according to the European law.
Some small companies and consumers may have doubts that the NSA and US government bodies will intercept their information, but financial and highly regulated industries are reconsidering American-based cloud products. Since the ruling on Tuesday, British SaaS provider Really Simple Systems has already seen an influx of Salesforce customers - one based in the states - jump ship to his product.
It's worth noting that six out of ten consumers do not trust online businesses, or phone companies and internet service providers when it comes to data privacy, according to European Commission data released this week. Further, seven out of ten people are concerned about their information being used for a different purpose from the one it was collected for, and believe that the protection of personal data should not be confined by borders. Nine out of ten said that they should have the same level of protection over their personal information, regardless of the country in which the authority or private company processing their data is based, according to the study.
What needs to be done to stay compliant and protect data?
There are two solutions to the data privacy conflicts between the US and Europe. Wait for both jurisdictions to come to some sort of binding agreement - or stick to European SaaS and cloud providers, advises SaaS provider Really Simple System’s chief executive John Paterson, CEO
“The European Courts of Justice aren’t saying that US companies couldn’t comply with the European Commission data directives if they wanted to, but that they don’t trust the US government,” he tells ComputerworldUK.
Take Salesforce, for example. The popular cloud-based CRM provider states that it will comply with European directives in its privacy statement. But they don’t state that they will protect this data from their own government, “because they can’t,” Paterson adds.
Europe and the US have different opinions on privacy rights. The National Surveillance Agency, as revealed by Edward Snowden several years ago, is entitled to intercept all data and mine through it - what is known as a “fishing expedition”. Whereas European states are obliged to attain a court order and there must be a cause for concern before government bodies can ask a data controller to hand over any information.
Encrypt and store data in European servers
Building a European datacentre is simply not enough. Salesforce has its own European datacentre, however customers must have explicitly requested its information is stored on European servers. By default, data will be stored in US-based servers. Multiple SaaS providers have announced commitments to open European datacentres ever since privacy issues arose and Europe said it would be updating its data protection act - soon to be announced.
However, if the company is based in the US, it still operates under the US’ electronic communications act, which means that the government can request information from a US company regardless of where the information is stored. The ongoing Microsoft court case is a perfect example of this.
“The everyday person is completely confused because there is no clarity. Nobody really knows is the answer until Microsoft case is resolved,” he says.
The other option is encryption. If SaaS providers don’t already offer this, it would entail major engineering work to set up the encryption and then allow only the customer the keys. This defeats the point of having a cloud solution, as the customer would need to install a decryption layer on all workstations that needed access, Paterson explains.
SaaS provider Workday confirmed that it provided encryption. However, if decryption is completed in the US on the vendor’s servers, the key would also need to be stored there, and would defeat the point of protecting it from any state surveillance.
SaaS vendor Netsuite, which announced Dublin and Amsterdam datacentres on the day of the ruling, told ComputerworldUK: “NetSuite already has available additional mechanisms and legal and contractual safeguards to support the legal transfer of personal data from the EU. The company has been talking about opening European datacentres for some time.
“Doing business in the EU could require adherence to dozens of standards rather than one. For a small company or one that did not take the EU-US Safe Harbor obligations seriously, that could be big trouble.” The company says it has “always employed industry standard SSL data encryption as noted by our adherence to standards such as PCI-DSS, PA-DSS, ISO-27K and others. We will continue to invest heavily in these areas and are holding our current standards for our EU-based datacentres”
Dropbox, for example, lacks a European datacentre, however it encrypts data in transit and at rest. Firms taking extra precaution could use tools like Boxcryptor which encrypts files before uploading and partitions them in your Dropbox folder. Apple and Google are creating systems whereby the US government cannot access those keys.
‘Good luck stopping us doing what we want in America’
Wikipedia founder Jimmy Wales said that the 'Safe Harbour' ruling posed a ‘concern’ for technology companies. He effectively put two fingers up to the European Commission, responding, “good luck stopping us doing what we want in America,” when ComputerworldUK quizzed him on the matter.
“This attitude replicates that of the states,” Paterson warns.
Move from Salesforce
Paterson has seen 17 Salesforce customers move to Really Simple Systems since the invalidation of ‘Safe Harbour’ last Tuesday. Most are based in the UK, but one American attorney has also made the move to ensure its data is stored on European shores, under European data privacy rules - to avoid interception.
“The European commission says that American companies are breaking the law if they are holding information without each subject’s permission. We’ve had customers, way before this ruling, in finance who didn’t want to use a US provider for that reason. The ruling has just accelerated the move.”
Will the US and Europe come to an agreement?
The US has an entirely different attitude to data privacy than Europe and is deemed less of a human right when weighed up against preventing terrorism.
“Even if both did agree, the chances of getting something through congress and the senate, which is dictated by the Republicans seems unlikely. It’s like gun control,” Paterson says.
So what can you do?
The Information Commissioner’s Office still isn’t sure. It issued a statement saying that it would provide some guidance at some point in the future, but it is not very clear when.
It said: “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.
“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks.
“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced.
"The ICO will be working with our European colleagues to produce guidance following the European Court of Justice ruling."
Simply sitting tight appears the best option for now.
Response from SaaS vendors
Workday said “Our customers don’t need to worry. The court decision won't impact operations at all as we have other mechanisms for processing European data in the U.S. when that is necessary, and we are actively working with customers to ensure all necessary agreements are in place. We hope that European Commission and U.S. officials will soon agree on a new safe harbor framework.”
Salesforce have yet to respond to questions on whether they encrypt as default in European datacentres and whether companies must request to have their data stored there.
Google have declined to comment on the matter.