How the ‘Safe Harbour’ ruling is wreaking havoc on cloud computing
The recent ECJ ruling on the ‘Safe Harbour’ of data may prove to have drastic consequences on businesses relying heavily on cloud computing. So what kinds of challenges can the industry expect to face? We asked two cloud computing experts.
JAXenter: First of all, what exactly does the ECJ ruling on ‘Safe Harbour’ mean for transatlantic data transfer from now on?
Robert Arandjelovic and Ravi Pather: The legal decision of the EU Court of Justice concerning “Safe Harbour” wreaks havoc on thousands of businesses – on both sides of the Atlantic – that rely on this framework to transfer and store EU data in the USA. For example, many US-based businesses collect and centrally analyse user information from across the world to better understand and act on regional trends.
Striking down the Safe Harbour law will force many multinational organisations to find new ways to share data in order to do mission-critical analysis for business decision-making. European companies will also re-assess how and where they send user data, knowing that they will not be able to freely pass this data to US-based subsidiaries or data-processing centres. While this decision immediately affects EU-based companies and those doing business in EU countries, it will gradually impact others outside of the Eurozone as well.
What will change now for European companies? And how long will companies have to adapt?
One of the immediate places where businesses will feel the impact of this decision is in cloud computing. With the rapid take up of cloud applications by European companies, the reality is that many of these cloud services are based in the US or have large American data centres. When they subscribe to these services, EU enterprises may end up sending data on European users to cloud infrastructures back in the US for processing and storage. Under Safe Harbour, that was allowed, but the Court’s decision reverses that, and compels organisations to react.
While cloud service providers themselves will also need to re-evaluate how they can comply in a post-Safe Harbour world, the responsibility won’t fall entirely on them. Any EU operation that has data on EU employees, customers or partners will have to carry out a detailed audit of how their data is stored and shared, with a specific focus on cloud usage, and check that they comply with the new reality. It will not be possible to outsource this responsibility to the providers of the cloud applications these organisations use and share user information on.
Surprisingly, there has not yet been any indication of a “grace period” for companies to come into compliance with the ECJ’s findings. However, organisations will still have time: no actions would be taken against organisations until investigations are launched and concluded by European authorities. Still, this makes it imperative for organisations to not waste time in seeing where they stand.
And what kind of challenges are companies facing, and are there any existing solutions?
In particular, the Safe Harbour ruling puts Cloud Service Providers (CSPs) in a tough spot as they depend on the framework to do business in Europe, specifically using it to authorise them to store data on behalf of European companies and mobile application developers. This will have a large impact on investment and financial performance. Not only will these companies need to build new data centers in countries in which data must now reside, but it will impact providers’ ability to sell services to entire regions until they are compliant.
Organisations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbour legislation.
Blue Coat has been observing the shifting sands of the data privacy regulatory environment, which is one of the reasons that it recently acquired Perspecsys, a leader in enterprise cloud data protection and data residency solutions. Blue Coat’s Cloud Visibility and Intelligence solutions, along with its cloud data encryption and tokenisation products, are designed to help its enterprise customers ensure secure and compliant cloud use – even adapting to changing compliance regulations, which is the situation in this case.
The Cloud Data Protection Platform allows critical enterprise data to be encrypted or tokenised before it leaves an enterprise for processing and storage in the cloud. Because the clear-text data never leaves the organisation, and is protected in-transit, at-rest and in-use within the cloud, issues associated with data privacy, security and compliance are addressed. In addition to securing the data, the AppProtex Platform ensures that the users of cloud applications can still use the application’s features – like searching, sorting and reporting – even on data that has been strongly encrypted or tokenised.
All in all, this seems like quite a big headache for enterprises – do you think cloud-focused businesses in Europe are ready?
We believe that some businesses are already well positioned to respond to these new requirements, whereas others, in particular sensitive industries such as finance and health, are struggling to meet the new regulations and risk putting themselves in a position where they are penalised for not being compliant.