Editor’s Note: As of January 2022, iland is now 11:11 Systems, a managed infrastructure solutions provider at the forefront of cloud, connectivity, and security. As a legacy iland.com blog post, this article likely contains information that is no longer relevant. For the most up-to-date product information and resources, or if you have further questions, please refer to the 11:11 Systems Success Center or contact us directly.
The EU court’s ruling this week has raised a lot of questions and generated a substantial amount of confusion on something that most folks probably never gave much thought to: the US – EU Safe Harbor regulations.
A rather old framework of regulations, the Safe Harbor provisions were established in 2000 as a bridge for US and EU firms to share personal data. This was prompted by the EU’s move in 1998 to solidify and unify member states’ personal data regulations, and for many years –15 to be exact — this worked fairly well. As long as both sides of the Atlantic had proper and audited controls in place, personal data moved rather freely.
2015, however, saw challenges to the framework emerge in the EU courts that resulted in the Safe Harbor provisions being nullified. This in turn forced many companies to evaluate their data controls and the geographical location of that data. So, what does this mean? Unfortunately, if your business has been operating in a multinational fashion, shifting data might have been very trite in the past, however, it is no longer so.
It is imperative that you begin reviewing your privacy policies, statements, and human resource activities and determine whether you should have EU and US versions of each. Additionally, data collection requirements are now vastly different. EU regulations require an informed opt-in, whereas in the US, the process usually works with an informed opt-out. This is a significant change for many companies that sell, market, and do business internationally and can be onerous and time-consuming for companies not used to operating in that fashion. If you are working from the EU side, this is high time to start looking at local cloud service provider options since US datacenters may be violating EU laws and regulations (we happen to know a great company!).
Does all of this mean the end of transfers of personal data? No, business still needs to be done. Methods and options are available; Model Contract Clauses and Binding Corporate Rules can be used to make a transition. However, there can be a substantial overhead cost to mid-sized and smaller organizations. Additionally, both the US and EU governments are working to address the issues with the Safe Harbor framework, but legislation takes time.
In the end, this is a disruptor but not a destroyer of business. One final note: as with all international laws and frameworks, it is highly encouraged that you engage a subject matter expert — or your cloud provider’s Compliance and IT Security teams — for more detailed options and plans.