A few days ago, I wrote about European Court of Justice Advocate General Yves Bot. He had decided that Facebook shouldn’t have transferred data about an Austrian student to its US data centres. At the time, this was just an opinion. Now it’s an official ruling by the ECJ. This is where it gets interesting. It matters to you in two different ways.
In your personal life you probably use a wide variety of web-delivered services which make use of your personal data. Many of them will be US-based, or US-owned. Not just Facebook and its subsidiaries; think about Strava or RunKeeper; Twitter; Google and so on. All of them will have to adjust to this, which may mean some disruption; it will certainly mean higher costs for them. That either means more ads, or it means you’ll have to start paying.
Perhaps more importantly, you may have moved some, or all, of your business data into the cloud. Now we’re talking about your duties as a data controller when it comes to the personal data you process about your staff and customers. You can’t rely on Safe Harbor any more either. Do you know where your data is stored? It’s not just the direct public clouds like Office365 and Google Docs that you need to think about. Where do your line of business applications run? Where’s your Salesforce data? What about your accounts (and therefore payroll). Many software-as-a-service business use public clouds, like Azure and AWS, to provide hosting – that’s why so many services went dark in the recent AWS outage. If they’ve made sure their data is replicated between two “regions” in one of those clouds, which was a commendable resilience strategy, they now have a data protection problem.
A final point: what about outsourced business processes? These days, it’s not just you that processes your customer data, is it? If you’ve outsourced your IT support, or your customer service desk, or your back-end settlement processing – where is that outsourcer storing the data? They may also have relied on Safe Harbour.
Right now, this is breaking news. No-one knows what will come next, and no-one (least of all me) is advocating a panic reaction. But if you thought that data in the cloud was out-of-sight, out-of-mind, now would be a good time to have another look at it; and if you’ve yet to move, and are thinking about it, it’s also a good time to ask your candidate service providers some searching questions.