So this month we’ve seen the ECJ torpedo the Safe Harbour agreement which allows businesses handling personal data on EU citizens to transfer it to the US. I wrote about it here and here. The immediate effect was for affected businesses to look for other ways to legitimise carrying on as they had before, such as “Binding Corporate Rules” and “Model Contracts”. At the time, I said “don’t panic.”
In my professional opinion, now is the time to panic. A German federal data protection authority has just published an opinion that no strategies exist allowing continued transfer of EU citizen data to the US. Unless there is a change in US law, businesses processing or storing this data outside the EU risk substantial fines.
The EU does not have a good track record when it comes to pragmatism in the face of conflict between high-minded principles and increased business costs. Nor would the ULD have issued a formal position paper without taking legal advice and sounding out the relevant EU bodies. So there’s a good chance – but not a certainty – that this too will become formal EU policy. What is certain is that extra-territorial data transfer will be subject to much greater scrutiny over the coming months.
So, if your existing cloud provider, SaaS application, or technology or business process outsourcing partner hasn’t given you certainty over the jurisdictional location of your data, now is the time to find out if they can. And if they can’t, now is the time to start looking at alternatives. If you’re about to press the button for an Office365 or Google Docs migration, now is definitely the time for some swift reconsideration.
Disclosure of interest: my main business, Managed Networks, operates a desktop-as-a-service product, DesktopLive, as well as other cloud and hosting offerings, all of which are based entirely in UK data centres and built on delivering jurisdictional certainty as a core value.