How will the 'Cloud' survive without the 'Safe Harbor'?
The European Court of Justice delivered a judgement in a particular case in 2015, which sent a very strong message that safe harbor alone was inadequate to ensure the protection of personal data.
Safe harbor is the agreement between the United States Department of Commerce and the European Union (EU) that regulates the way US companies could store and process the 'personal data' of European citizens. This framework developed in the year 2000 is used by buyers and suppliers to mutually accept the level of data protection required. When buyer organisation procure Cloud Services, more often than not their data (including personal data) are stored and/or processed in data centres managed by the service provider. These facilities could be physically located in any geography depending on the provider's own data storage strategy.
At the end of 2015, the European Court of Justice delivered a judgement in a particular case which sent a very strong message that safe harbor alone was inadequate to ensure the protection of personal data.
What will happen now?
- Cloud service providers will revisit their service delivery strategy for EU customers. Large scale providers such as AWS already allow the
buyers to choose the physical data storage location
- .Some Cloud suppliers will decide to invest in data centres in the EU region. This will impact their costs of the service.
- Each of the 20+ EU countries can now formulate their own requirements to protect data, which is transferred outside the region. Administration of the same would be highly complex at the supplier end may increase the cost of their offerings.
- Buyer organisations will have a smaller pool of suppliers to choose from. They may even have to bring back some of the services in house. This will have an adverse effect on their capital & recurrent IT budgets.
- The European Commission and the United States will agree on a new framework. The initial statement of this 'EU-US Privacy Shield' was released in February this year.
- Cloud suppliers will work towards getting non-geography specific accreditations such as ISO 27018 (protection of personally identifiable information in public clouds).
Though the context of this issue seems to be limited to US and the EU region, although the data protection principles that have come to limelight as a result are universal. The recent judgement does not completely invalidate the safe harbor framework that had been operating for 15 years. It merely questions the adequacy of the same. In my opinion, this recent development only challenges both supplier and buyer organisations positively to be extra vigilant on where & how they store data.
What is your opinion?