Daniel Arthursson

By Daniel Arthursson, founder and CEO of CloudMe

imgresIt’s common knowledge that you shouldn’t leave sensitive data open to the public, but companies are willingly handing over private information in the cloud even though they know it’s going to be under surveillance by foreign governments. A report by Gartner predicts that by the end of 2016 more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud.

The rationale has always been that if there is a reputable safeguard like the Safe Harbor Act then it must be safe and a company’s cloud vendor would never do anything with that information. After Snowden’s disclosure, the premise of the Safe Harbor Act became complex, especially since it was routinely used by governments for surveillance. However, the European Court of Justice’s decision has made its stance crystal clear; the entire Safe Harbor Act and its validity to protect EU citizens’ privacy has been dismissed.

Repercussions of No Longer having the Safe Harbor Act

The court’s latest move brings up another interesting legal implication. With the current EU Data Protection Act, every company needs to have a legally responsible data controller. The data controller is fully accountable for what happens with personal data, even if the data storage, or processing, is outsourced to a third party that later discloses that data. As processing of data in the U.S. has been deemed insecure since a U.S. company cannot guarantee that a third party won’t be able to access data – even with a Safe Harbor Act agreement in place – any use of a U.S. service will be a breach of the EU Data Protection Act. The repercussion for the data controller in every single company using a U.S. cloud service can be prison of up to two years. This can leave anyone, from an end customer using SaaS services to EU SaaS services running their service on top of a U.S. cloud infrastructure, predisposed.

One suggestion to solve this problem has been to have U.S. companies setup data centers in Europe and stop transferring any data to its U.S.-based data centers. A second suggestion has been to allow the U.S. government to force overseas companies with majority U.S. ownership to hand over any data required in order to comply with U.S. law – this will include any data stored in a EU data center. However, neither option seems like a viable solution.

The court’s decision has clarified what the EU legislation really means for EU businesses, but from a legal liability perspective we are still in the same predicament. Every company’s data controller is liable, including whatever the U.S. government does once they have handed over the data to a U.S. cloud service. This will likely continue and extend to U.S. entities as they will be required to follow U.S. law while operating overseas. This means that if you use and store information in an EU data center controlled by a U.S. entity that later discloses your company’s personal information to a third party, like the U.S. government, you will be liable.

Where We Go From Here

As a company’s CEO or data controller you need to adapt to the current situation in the EU. In reality there is no way you can negotiate out of the European Data Protection Act and you cannot shift the liability to a U.S. service provider through any type of agreement, regardless of what your supplier says. You have no more protection against the continued use of U.S. services.

So what’s the definition of personal data? Any data that relates to a living individual who can be identified from those data or other data handled by the data controller. According to Skyhigh’s 2014 Cloud Adoption and Risk in Europe Report that looks at cloud service providers used by employees in European organizations, 74.3 percent of the providers did not meet basic security stipulations, meaning that any organization sending personally identifiable information (PII) to these service providers is breaking the EU Data Protection directive.

Where do you begin? For starters, review all cloud services your company uses and begin protecting privacy and personal data. Consider the following questions:

1)      Where is the cloud service providers’ data center and where is my data stored specifically?

2)      Is any data stored or processed outside of the EU?

3)      Is my company’s European SaaS provider employing a U.S. cloud service like Amazon or Microsoft Azure as its platform for running their business?

4)      Who has the controlling stake in the cloud service my company uses and is it majority controlled by U.S. interests?

If the answer to any of the above questions is ‘Yes,’ then you are liable of breaching the European Data Protection Act if you handle any personal data.

European companies have an enormous challenge ahead and Europe is missing many crucial services provided by U.S. companies. Many new data centers, cloud infrastructure companies and SaaS services need to be rebuilt or improved within the EU in order to allow a transition into legal compliance by its companies.

As we look forward, we’ll see a growing demand for European cloud and sync storage services that can meet the demands of EU companies while abiding by the European Data Protection Act. This move to European data centers will certainly take months to complete and a great deal of gray area still remains. The court’s decision has proved to Europeans that the Safe Harbor Act didn’t protect them, however, the European and U.S. governments still need to determine where exactly this leaves its companies.