Since yesterday’s ruling by the European Court of Justice that the 15-year old so called ‘EU-US SafeHarbour Agreement’ is invalid, organisations within the EU will be evaluating their use of US-based cloud services to determine whether they are compliant with data protection regulations.
The Safeharbour Agreement made between the EC and US, attempted to provide reassurances that EU citizens’ data and privacy would be protected if transferred by US companies to the US. The agreement enabled US companies to self-certify that they would adequately protect EU citizens’ data.
The ruling invalidating the agreement comes on the on the back of the Edward Snowden revelations, which revealed that US security services were able to gain unlimited access to any data that had been transferred to the US from the EU, even if there was no identified or suspected threat to national security.
So what impact will this have?
Within hours of yesterday’s news, US-based cloud providers were scrambling to limit any fallout. Some of these companies are making available a “data processing addendum” that incorporates the European Commission’s standard contractual clauses, commonly referred to as “model clauses”. This should help to reassure customers in the short term that their data transfers will be validated and continue to have (potentially) the same level of protection currently observed under EU data protection laws.
In addition, a new safeharbour agreement is being negotiated between the US and EU but after two years of discussion, is proving difficult to ratify. In light of yesterday’s ruling, these discussions will no doubt have a renewed urgency.
The impending replacement for the Data Protection Act 1998, called GDPR (General Data Protection Regulations) is also nearing publication and this will provide long-term protection for the processing of data relating to EU citizens.
How the US and US-based cloud service providers react to yesterday’s “invalid” news and the impact this ruling has on legislation, will undoubtedly shape the delivery of global cloud services in the future.
Is Redstor affected?
No. Whilst Redstor is a global provider of software and services, Redstor is not US-owned and works closely with all clients, regardless of geographic location to ensure their sovereignty requirements are met. In addition, our services feature strong encryption and customers are in control of the encryption key, meaning that only they have the ability to decrypt their data.