To Managed Service Providers, the End of Safe Harbor Agreement is Boon or Bane?

On October 2015, the European Court of Justice dictated on the case Maximilian Schrems v Data Protection Commissioner. This judgment has 2 essential areas:

  • The Court reported the EU Commission’s decision on the sufficiency of the EU-US Safe Harbor arrangement incorrect with instant impact.
  • The Court confirmed the higher capabilities of national data security authorities in supervising outbound transactions of personal data, even if depending on sufficient decisions of the European Commission.

As a result of the judgment, the Safe Harbor agreement is made useless. furthermore, different mechanisms for moving personal data to non-sufficient countries, including the EU model contractual clauses or joining corporate guidelines, will probably turn out to be an issue to a better level of examination of European data security authorities, particularly in case they are utilized for transfers to the US. Following the Court’s judgment, organizations are recommended to evaluate which of their data transactions are depending on Safe Harbor and differentiate between data transactions via the US-based cloud and outsourcing suppliers, and inner data transactions. We furthermore suggest not getting into any new agreements that involve Safe Harbor.

Data Processing By US Cloud and Outsourcing Providers
Numerous united states-based cloud and outsourcing suppliers depend on Safe Harbor like a foundation for transfer of data from the European Union to the United States. Following the ECJ’s ruling,this is not anymore permitted. We recommend organizations to evaluate their current United States cloud and outsourcing agreements in perspective of the ECJ’s decision. If Safe Harbor is being reliable,we suggest discussing prospective options with the particular service suppliers and renegotiating contractual conditions where required. For apparent factors, we do not suggest getting into any new contracts which make reference to Safe Harbor as a foundation for transfer of personal data from the European Union to the United States.

Internal Processing Of Personal Data
Following the ECJ’s ruling, organizations might not anymore use Safe Harbor for inter-group transfers of personal data between the EU and the United States. As Safe Harbor achieved an obvious economic demand, we assume that the European Union and the United States will proceed their conversations on a current Safe Harbor framework. Despite the fact that organizations can select to hold out a few months and notice what these discussions on a current Safe Harbor framework deliver, it indicates agreeing to a risk of non-compliance. Furthermore, a new Safe Harbor framework will probably be an issue to complain very much like that which directed to the ECJ’s decision.
The use of European Union model contracts may offer a non-permanent solution for non-compliance. European Union model contracts, as sanctioned by the EC, contractually enforce a level of data security on the receiver of the personal data. If implemented in unmodified type, the clauses typically enable transactions to a non-EEA country with no additional authorization by a national data security authority.

Can Companies Still Rely On Safe Harbor?
Simply no. The ECJ reported the EC judgment 2000/520/EC on Safe Harbor incorrect with direct impact. Organizations can not anymore depend on the Safe Harbor agreement. This could be changed if the European Union and the United States attain a new arrangement on Safe Harbor. The discussions have been advancing little by little. The modified Safe Harbor is anticipated to address, amongst other points, the national security access concerns that have brought up issues.
These days, that arrangement has been considered incorrect, meaning that each organization providing European customers’ demands in order for reexamining its data practices. Needless to say, this is mainly the purview of our technology management associates. But client information professionals really need to partner directly with them on a couple of fronts:

  • Converse regarding your 3rd-party data sharing techniques. This contains sharing among business partners (one example is, transferring customer data to a company which conducts your loyalty system or manages guarantees), sharing CRM data along with digital marketing suppliers, and perhaps making use of 3rd-party tracker on your site which acquire IP addresses. Any kind of 3rd party data sharing might occur under examination from the European Data Protection Authority, thus, you are going to need to have a permission-based model for acquiring and sharing that data shortly.
  • Determine almost all marketing providers that contact European client data. Operate with S&R colleagues to examine your existing providers’ procedures and capability to interact to the judgment. Particularly, pay a very close attention to the database managed services providers (MSPs), client relationship companies, data management systems, and client analytics providers. The majority of these providers are currently triaging to make sure they can respond properly given the sorts of personal data they deal with, so they ought to be capable of offering you with their own conclusions and plans shortly.

This pain for the majority of organizations will live shorter. The bodies of the government and political figures will at some point get to an arrangement due to the fact that the digital economic climate and across the Atlantic digital industry is significant and essential it’s not going to come to a full halt just because of the judgment.

This is an unlucky, and really expensive judgment, and blaststhe long-lasting dedication that infrastructure vendors have used to put into action data security strategies for client data. Quality IaaS vendors offer clients with safe, cloud-based digital infrastructure and are versatile enough to manage the tools and software described networking architectures that provide clients command over their data, encryption strategies, and data transfer strategies.