BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The dissolution of a trade agreement for the transfer of data between the U.S. and Europe shouldn't dramatically impact cloud vendors or customers in the near term, but does highlight how a lack of clarity around data privacy will hang over the industry in the long-term.
Safe Harbor, a legal framework for data transfers based on an agreement in 2000 between the European Union (EU) and the U.S., was struck down this week by the European Court of Justice. Roughly 4,500 companies used the agreement, but the decision is something cloud vendors are prepared for with contractual language and a glut of new data centers across Europe.
"This is really a formal nail in the coffin that's already been filled," said Adrian Sanabria, senior security analyst with 451 Research LLC in New York. "It's not a surprise to anyone and I'm not sure how much it changes."
Seen as a victory for privacy groups, the ruling does leave some uncertainty about data transfers. Tech advocacy groups on both sides of the Atlantic have called for interim guidance from the pertinent governing bodies, as well the implementation of a new Safe Harbor agreement and long-term legal changes around surveillance regulations in the U.S.
Smaller companies are expected to be most impacted as they lack the financial and legal means to get around the ruling. There are still mechanisms, however, that companies can use to transfer data, including binding corporate rules and a presence in the EU to keep and store sensitive data.
Microsoft and Amazon each put out statements saying the ruling will not affect their customers' data, citing approval from EU data protection authorities for their specific agreements and compliance with EU Model Clauses.
Google, considered the other hyper-scale public cloud vendor, declined to comment, but pointed to a statement from the Internet Association, which represents Google, Amazon, Facebook and other tech giants. The statement called for reforms while acknowledging that larger companies can continue data transfers.
The decision doesn't mean companies have to discontinue their data transfers immediately, but it does provide authorities in the EU to investigate those transfers and shut down those communications if they aren't within the data privacy laws of the nation in which the information lies. Companies were essentially self-reporting on their compliance under the Safe Harbor agreement.
Many of the Silicon Valley tech giants have been in the crosshairs of the EU for some time. And while they may use this to go after them, don't expect anything overnight, because of the influence these companies hold with the public, said Renee Murphy, senior analyst for Forrester Research Inc., in Cambridge, Mass.
"If you shut off Google [in Europe] tomorrow there would be a riot," Murphy said.
For a typical cloud customer, there should be nothing to worry about, as the onus is on the vendor to ensure the data resides where it's supposed, Murphy said. It also shouldn't come as a surprise that these large cloud vendors can continue to operate business as usual.
"Of course Amazon is well positioned," Murphy said. "The reason they were so well positioned is they knew this was a problem in the first place."
In fact, some see this ruling as an opening for public cloud vendors and third-party security providers.
"It makes a big case for companies getting into both security more and adopting the cloud," Sanabria said. "The one thing about the cloud is it makes you agile enough that you could move your data center from one fiscal center to another."
It's also hard to look at some of these giant companies solely as U.S.-based, as they have subsidiaries and huge presences abroad and have to take the legal ramifications of those nations' data laws just as seriously as they do those in the U.S., he said.
There's also the opportunity for non-residency related solutions to the problem, including tokenization that allows the data to remain in its country of origin, analysts said.
Safe Harbor questions remain
Web-scale vendors aside, European companies remain troubled by the lack of certainty that this ruling has created.
"We're operating a bit in a vacuum as organizations," said Christoph Luykx, EMEA government relations director for CA Technologies. "We want to respect the court case, but at the same time, there's only so fast we can go for finding solutions."
CA, a global software company headquartered in New York, has mechanisms in place to move around data and is preparing internal guidance so services aren't disrupted. But discussion have to be worked out up and down the entire supply chain.
"The impact on smaller customers that would also like to use cloud services or have offerings, for them they are finding these legal discussions very complicated," Luykx said.
Daniel ArthurssonCEO of CloudME
And regardless of what happened to the Safe Harbor agreement or what type of civil agreements have been reached, the biggest concerns about criminal inquiries and data privacy remain unanswered, said Daniel Arthursson, CEO of CloudMe, a Swedish sync and storage provider.
"The single person designated as data controller in the European Union company will be liable," Arthursson said. "It doesn't really matter what you have signed; if there is a breach you are liable."
If anything, this week's ruling only made it clearer to European companies that the Safe Harbor agreement didn't protect them, he added.
"Something needs to be done between the European governments and the U.S.," Arthursson said. "The implications for both sides will be huge. It's a crazy situation."
The ruling sprang from an Austrian citizen's challenge to Facebook's transfer of his data outside the EU in light of the National Security Agency surveillance revelations. So while the final decision came as no surprise, how it came about is telling, analysts said. It's striking how one individual was able to bring down such a massive agreement and it will likely take civil suits and other legal action in the U.S. before the full extent of data privacy is established.
"We're going to have to have one person suing Google and winning some weird class action lawsuit," Murphy said. "It's going to take us going to the Supreme Court in order to find the true limits."