The European Court of Justice’s verdict on ‘Safe Harbour’, the agreement which legitimised data transfer between the US and EU, was more unexpected in its timing than its content. The impact of Safe Harbour’s demise on the largest digital enterprises is likely to be minimal, with several already maintaining EU data centres, and supplementary contractual agreements on data privacy. However, there is no doubt that this is only the beginning of the legal wrangling around the issue.
The implications of the judgement go far beyond the headline issue of personal privacy. Media coverage has focused on the rights of individuals, but the question of business data is just as pertinent. The security of price sensitive information, intellectual property and confidential records must always be guaranteed. Where cloud services are involved, however, the ECJ’s judgement may now make it hard to make such guarantees in a legally valid manner.
According to the Financial Times’ report, over 4,000 companies make direct use of Safe Harbour, but the number of organisations that must take account of this judgement is many times greater. Of those initial 4,000, many of their customers will also be companies, with responsibility for their customers’ data – and those customers could be organisations too. Assessed by new legal standards, that digital supply chain could now be hiding unexpected liabilities for organisations that have not looked closely enough at the cloud services they use.
Arguments around the merits of public cloud and private cloud infrastructure are well-worn, but it is worth noting that a private cloud sidesteps many of these concerns. When services or products run on a network whose exact physical limits are known and protected, the legal status of the data they contain can always be assured.
Although it will take some time for the true implications of the Safe Harbour ruling to make themselves clear, it should be a wake-up call for companies in all sectors, to think clearly about their digital estate and the data it contains. With products and services that are based in the cloud, the legal status of the data they hold can only really be assured by identifying its actual physical location.
In some cases, particularly where price-sensitive and other financial details are concerned, there will be a strong case for shifting to products and services that allow business leaders control over the location of their data. While legal questions remain unresolved, this is the only way in which it can be deemed truly secure.