What the EU's Safe Harbour ruling means for European businesses

Mike Fey recalls the European Court of Justice invalidating the agreement between EU and US organisations on data transfer on 6 October.

Mike Fey, President and COO, Blue Coat
Mike Fey, President and COO, Blue Coat

For the past 15 years, more than 5,000 companies relied on Safe Harbour as a means to sanction moving information into the US from Europe. This legal decision to invalidate that option is likely to wreak havoc for thousands of businesses, as they will have to move away from this framework for transferring and storing EU data in US servers, and find another way of being able to do so.

In a recent industry talk, Wikipedia's co-founder, Jimmy Wales said the dismissal of Safe Harbour won't impact his company, but that it will create ‘unbelievable complications' for tech firms, such as Facebook and Google. Wales continued to say the Safe Harbour ruling worries him as a consumer, as well as an entrepreneur because the move to an era of ‘Balkanised' data, where data has to be held in-country in very specific ways across many jurisdictions, will more than likely slow down the process of being able to access data.

Whilst these rulings will immediately affect US companies doing business in EU countries, it will spread globally. Countries may either follow suit, or retaliate, so companies should be prepared for this to become a much bigger issue over time. These will likely have an impact on investment and financial performance, as companies may need to build new data centres where data resides. Funding this investment could impact on the provider's ability to sell services to entire regions.

Impact on cloud computing

The rapid uptake of cloud applications by European consumers and businesses, means many of the cloud services require EU enterprises to send data to cloud infrastructures in the US for processing and storage. Under Safe Harbour, that was allowed, but the recent changes in the ruling looks to reverse that, and compel organisations to react.

One of the more immediate places where businesses will feel the impact of this decision is in cloud computing. Tightening data privacy regulations carries consequences for businesses that can't quickly adapt, particularly putting cloud service providers (CSPs) in a difficult situation. They depend on the Safe Harbour framework to do business in Europe, using it to authorise them to store data on behalf of European companies and mobile application developers.

As organisations push cloud adoption, inevitably sensitive and regulated data will end up in the hands of outside service providers, such as SaaS applications. Recent survey findings show most IT security professionals believe they don't have full visibility into where all their organisation's sensitive data resides.

How can businesses overcome these changes?

Organisations need actionable advice for instituting proactive mechanisms to ensure data privacy and regulatory compliance while they run the business; such guidance is lacking from the Safe Harbour legislation. Here are five tips to help businesses control cloud data and access in light of the Safe Harbour ruling as an evolving regulatory landscape:

  1. Improve visibility into exactly what data is moving outside of the business' network and where. Discover hidden cloud services, inventory sanctioned clouds, and determine where all the data centres are and which ones need to be compliant.
  2. Take proactive steps to tokenise data to ensure compliance with prevailing EU data privacy regulations. Tokenisation is considered by many to be the existing standard to address data privacy and compliance, since tokens have no mathematical relationship to the original clear text, sensitive data and no possibility of back doors.
  3. As businesses' primary and backup data centres may be located in different countries or regions, this will mean businesses will have to use cloud service providers' local EU data centres, where cloud providers often maintain the right to move data between data centres.
  4. The regulatory and data privacy landscape will continue to change, so businesses need to future-proof their IT and cloud infrastructure to allow the flexibility to quickly adapt to evolving regulations by anonymising and encrypting data. Businesses need to take responsibility for implementing ways to share data in an anonymised way that still allows them to get the insights they need without violating individual privacy specifications.
  5. When encrypting data, sole physical encryption key ownership and custody are suggested means for data protection. Businesses must have an encryption approach which ensures data is protected in all three phases of the cloud data lifecycle: in transit, at rest and in use.

In the coming days and weeks, it is expected the case involving Max Schrems and the Office of the Data Protection Commissioner will come back before the High Court in Ireland. With this in mind and taking into consideration the regulatory landscape that is full of twists and turns, businesses need to ensure they can dance to the regulator's tune.

Contributed by Mike Fey, President and COO, Blue Coat