News Stay informed about the latest enterprise technology news and product updates.

Cloud vendors saw end of Safe Harbor agreement coming

The EU high court's decision to strike down the Safe Harbor agreement shouldn't hurt large cloud companies or their users, but long-term questions about data privacy remain.

The dissolution of a trade agreement for the transfer of data between the U.S. and Europe shouldn't dramatically...

impact cloud vendors or customers in the near term, but does highlight how a lack of clarity around data privacy will hang over the industry in the long-term.

Safe Harbor, a legal framework for data transfers based on an agreement in 2000 between the European Union (EU) and the U.S., was struck down this week by the European Court of Justice. Roughly 4,500 companies used the agreement, but the decision is something cloud vendors are prepared for with contractual language and a glut of new data centers across Europe.

"This is really a formal nail in the coffin that's already been filled," said Adrian Sanabria, senior security analyst with 451 Research LLC in New York. "It's not a surprise to anyone and I'm not sure how much it changes."

Seen as a victory for privacy groups, the ruling does leave some uncertainty about data transfers. Tech advocacy groups on both sides of the Atlantic have called for interim guidance from the pertinent governing bodies, as well the implementation of a new Safe Harbor agreement and long-term legal changes around surveillance regulations in the U.S.

Smaller companies are expected to be most impacted as they lack the financial and legal means to get around the ruling. There are still mechanisms, however, that companies can use to transfer data, including binding corporate rules and a presence in the EU to keep and store sensitive data.

Microsoft and Amazon each put out statements saying the ruling will not affect their customers' data, citing approval from EU data protection authorities for their specific agreements and compliance with EU Model Clauses.

Google, considered the other hyper-scale public cloud vendor, declined to comment, but pointed to a statement from the Internet Association, which represents Google, Amazon, Facebook and other tech giants. The statement called for reforms while acknowledging that larger companies can continue data transfers.

The decision doesn't mean companies have to discontinue their data transfers immediately, but it does provide authorities in the EU to investigate those transfers and shut down those communications if they aren't within the data privacy laws of the nation in which the information lies. Companies were essentially self-reporting on their compliance under the Safe Harbor agreement.

Many of the Silicon Valley tech giants have been in the crosshairs of the EU for some time. And while they may use this to go after them, don't expect anything overnight, because of the influence these companies hold with the public, said Renee Murphy, senior analyst for Forrester Research Inc., in Cambridge, Mass.

"If you shut off Google [in Europe] tomorrow there would be a riot," Murphy said.

For a typical cloud customer, there should be nothing to worry about, as the onus is on the vendor to ensure the data resides where it's supposed, Murphy said. It also shouldn't come as a surprise that these large cloud vendors can continue to operate business as usual.

"Of course Amazon is well positioned," Murphy said. "The reason they were so well positioned is they knew this was a problem in the first place."

In fact, some see this ruling as an opening for public cloud vendors and third-party security providers.

"It makes a big case for companies getting into both security more and adopting the cloud," Sanabria said. "The one thing about the cloud is it makes you agile enough that you could move your data center from one fiscal center to another."

It's also hard to look at some of these giant companies solely as U.S.-based, as they have subsidiaries and huge presences abroad and have to take the legal ramifications of those nations' data laws just as seriously as they do those in the U.S., he said.

There's also the opportunity for non-residency related solutions to the problem, including tokenization that allows the data to remain in its country of origin, analysts said.

Safe Harbor questions remain

Web-scale vendors aside, European companies remain troubled by the lack of certainty that this ruling has created.

"We're operating a bit in a vacuum as organizations," said Christoph Luykx, EMEA government relations director for CA Technologies. "We want to respect the court case, but at the same time, there's only so fast we can go for finding solutions."

CA, a global software company headquartered in New York, has mechanisms in place to move around data and is preparing internal guidance so services aren't disrupted. But discussion have to be worked out up and down the entire supply chain.

"The impact on smaller customers that would also like to use cloud services or have offerings, for them they are finding these legal discussions very complicated," Luykx said.

Something needs to be done between the European governments and the U.S. The implications for both sides will be huge.
Daniel ArthurssonCEO of CloudME

And regardless of what happened to the Safe Harbor agreement or what type of civil agreements have been reached, the biggest concerns about criminal inquiries and data privacy remain unanswered, said Daniel Arthursson, CEO of CloudMe, a Swedish sync and storage provider.

"The single person designated as data controller in the European Union company will be liable," Arthursson said. "It doesn't really matter what you have signed; if there is a breach you are liable."

If anything, this week's ruling only made it clearer to European companies that the Safe Harbor agreement didn't protect them, he added.

"Something needs to be done between the European governments and the U.S.," Arthursson said. "The implications for both sides will be huge. It's a crazy situation."

The ruling sprang from an Austrian citizen's challenge to Facebook's transfer of his data outside the EU in light of the National Security Agency surveillance revelations. So while the final decision came as no surprise, how it came about is telling, analysts said. It's striking how one individual was able to bring down such a massive agreement and it will likely take civil suits and other legal action in the U.S. before the full extent of data privacy is established.

"We're going to have to have one person suing Google and winning some weird class action lawsuit," Murphy said. "It's going to take us going to the Supreme Court in order to find the true limits."

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What steps has your company taken to address uncertainty around data privacy laws and the transfer of sensitive information across borders?
Cancel
Trevor, I don't think you understood the ECJ's decision. It was based on two findings of fact, that are integral to the Judgement and part of it. These were 1. That Snowden's evidence as published, is viable evidence and has been  incorporated into the judgement 2. That the US was engaged in "indiscriminate mass surveillance" via PRISM. Until PRISM stops no transfer of data is legal. In the UK PRISM is criminal as well as unlawful. That is why the Court gave no grace period. A Court cannot give a judgement with criminal implications at member state level and then say "Its OK for the criminality to continue while we sort things out". Its not legally possible and the ECJ didn't do it. People telling you its all OK are ignoring the criminality occurring via PRISM. There is no 'bypass' by way of private contracts. Private contracts do not override criminal law.   
Cancel
Trevor, this seems unfair to always seem to criticising you, but the European Court of Justice is not the European High Court. It is the European Supreme Court and there are no appeals from its verdict.This is why the PRISM finding of fact is so important, and the 'no grace' period too. If you transfer data from Europe and you have not protected it from PRISM you are committing a criminal offence. There are no exclusions. It might be much better to be blunt and frank at this stage, if change is to happen. 
Cancel
Once one copies their data into the "cloud", is it really their data? Frankly I think it's foolish for a company to move sensitive business data into a storage system they have no direct control over.
Cancel
Good article on the subject. We've used European companies to maintain and send our emails to those in the EU, therefore we hadn't yet needed to participate in the Safe Harbor policy. We'd intended to do so when applicable. I certainly hope some solution is determined for companies of all sizes.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVMware

SearchVirtualDesktop

SearchAWS

SearchDataCenter

SearchWindowsServer

SearchCRM

Close