The Post Safe Harbor Era: New Opportunities for Service Providers
At the beginning of June, Reuters reported that for the first time, fines were imposed on companies in Germany that continue to act as if the Safe Harbor Privacy principles are still valid. The US-EU agreement was invalidated by the EU high court in October 2015.
Immediately after the ban, new negotiations began for obvious reasons. The stakes are very high: the transfer of EU personal data to the US without the explicit consent in each case of every user is prohibited. Every citizen, consumer organization or regulator can in principle, start legal proceedings against companies that ignore the ruling.
This truly is a sword of Damocles hanging over the market and nearly everyone in the IT industry wants it removed as quickly as possible.
The complexity is apparent. The public and policy makers focus their attention on companies that have data. The relevance of the current situation to the hosting and data center industry is however, still underexposed.
Let’s have a closer look at three common issues:
- The Infrastructure
Companies that use software or hardware to process personal data should be aware of the “call home” function, mainly for maintenance and monitoring in many applications and devices. Do they know that during that process, (parts) of personal data can be transferred as well?
Even if all the data is stored and processed in the EU, some of it may be transferred to non-EU countries. That possibility concerns about anything that is in a server rack, servers, switches, routers, storage.
Who is responsible for that hardware? Some providers and data centers have already received inquiries about this matter; still not all have answers that will reassure users and end users. Switching off these features is an option. We know that, for example, in the public sector of several EU member states, that option and off as the default mode is required for all new appliances.
- Cloud Marketplaces
Data centers and large providers increasingly offer connectivity via their platforms with the infrastructure of clouds from third parties. Providers should analyze all components of those marketplaces to find out if there is a possibility of personal data being transferred to non-EU countries.
Sound complicated? You’re right.
- Data of Employees
Let’s turn to one detail of those first fines in Germany. The imposed amount equivalent to $32,000 USD is not particularly high. What is striking, is that the local supervisor (by the federal structure of Germany, each state has its own regulator) found two violations at Adobe, Punica and Unilever. Customer data and data of employees were being exposed.
Most press attention to date has gone to the data of the customers and/or website visitors. For all multinationals, the second category is extremely relevant. Some multinationals, even before the October court ruling, decided to quit the idea of centrally controlled payrolling and so on. They opted instead for decentralized solutions to avoid possible violation of EU legislation. Imagine the costs of that decision and the work that has to be done by IT to make it happen.
So what does this mean for the daily business of service providers, hosters and data centers in this complex situation?
If you are based in the US, the bad news is that chances are you have enduser data on your systems that the customer is not allowed to store or process. That is his responsibility, but potentially, his decision to terminate could hurt you. The second point is about the market places that might include services that move or copy data to other regions. You have to be transparent about that, because a misinformed customer cloud cost you sales.
There is some good news as well: transparency and clear communication is more rewarding than ever.
EU companies are confused by post-Safe Harbor implications and the upcoming GDPR situation and are looking for clear answers. US companies are also looking for future-proof solutions for dealing with customers and situations in the EU.
There are providers both in the US and EU, that consider their proven knowledge of this lesser known data traffic and ability to give advice on application and data migration to specific geographical areas as a unique selling proposition.
Each year, HostingCon Europe focuses on the issues, trends and legislation that affect your business. Attend to get cutting edge information about changing market conditions and how to navigate challenges in the EU marketplace. Learn about post Safe Harbor security issues with our panel of experts including US attorney David Snead and Alban Schmutz, SVP at the number one hosting provider in Europe, OVH.
Source: TheWHIR