EU’s new data protection regime reflects reality of cloud
For European Union (EU) businesses these are interesting times to be involved in data compliance. Two major developments governing the use of personally-identifiable information have raised their heads in Europe, each of which require clients to be circumspect in their moves to cloud.
At QUADROtech, we don’t think that’s a bad thing. Everyone should be concerned about privacy and security, and these developments have been necessitated because cloud-based services – like corporate email – are now so well established. The ultimate aim is to create stronger, universal policies and frameworks to protect information better.
What’s more, it’s clear the major vendors with which we work – such as Microsoft – have had these issues on their radar for years. As we’ll see, they already meet European standards and we’re confident they’ll continue to do so.
We don’t think there’s any place for scaremongering. Things are changing, and certainly client organisations will need to keep on the front foot, but the end result is going to be a better data protection regime for everyone.
EU General Data Protection Regulation (GDPR)
The current Data Protection Directive 95/46/EC (written before the advent of social networks and cloud computing) is well overdue for replacement. By 2017 the European Commission will adopt an extensive new law – General Data Protection Regulation (GDPR) – unifying data protection and privacy.
GDPR will be directly applicable to all EU member states, and the EU specifically notes that it “foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.”
GDPR will actually come into effect a couple of years late, owing to the long consultation process, but we expect the new law to bring much-needed clarity for those moving to cloud services. We’re also confident that leading email and archiving service vendors will be able to meet whatever audit requirements you’ll need to make.
In the meantime, recent changes to EU ‘Safe Harbor’ principles noted below have, if anything, accelerated vendors’ responses to the changing data protection landscape.
Safe Harbor suspension and its implications for businesses using cloud services
Sixteen years ago the EU and US set up a voluntary ‘Safe Harbor Agreement’ to allow personal data to be transferred to US jurisdiction, despite US privacy laws not being aligned with EU norms.
A ruling by the European Court of Justice (ECJ) on October 6, 2015 confirmed these ‘Safe Harbor’ rules on data sharing between the 28 nations of the EU and the US are now invalid, and that, to authorize the export of data, the two bodies involved must draw up and sign ‘model clauses’ which set out the US organization’s privacy obligations.
Some commentators suggest that the Safe Harbor ruling could severely disrupt business between EU firms and US cloud firms. We think that’s rather extreme; our view is that it’s a welcome wake-up call for the industry, as it’s always been vital to carry out due diligence and make sure you’re not exposed when you sign up to any cloud service.
Why vendors like Microsoft are safe to work with
Following the suspension of Safe Harbor, Microsoft enterprise customers don’t need to worry that their use of its cloud services worldwide will be interrupted or curtailed.
Last year all 28 data protection authorities in the EU confirmed in a joint letter that Microsoft’s enterprise cloud contracts already meet the high standards of EU privacy law and the requirements of the ‘model clauses’ mentioned above. Personal data stored in Microsoft’s enterprise cloud is therefore already subject to Europe’s rigorous privacy standards no matter where that data is located on Microsoft’s enterprise cloud services – including Azure and Office 365.
What’s more, even if the Safe Harbor Agreement had remained in place, it would only have covered data transfers from Europe to the US. Microsoft’s approved contractual commitments, by comparison, enable transfers globally.
Brad Smith, Microsoft’s president and chief legal officer, stated: “…customers can use Microsoft services to move data freely through our cloud from Europe to the rest of the world. We will take proactive steps to expand these legal protections to benefit all of our enterprise customers… and will continue to ensure that we can comply both technically and operationally with the stringent obligations imposed by these contractual commitments. All of our customers, whether they have operations in Europe or elsewhere, benefit from the strong engineering protections we have put in place.”
Facts, not FUD
We think it’s a shame that some people in our industry are stirring up fear, uncertainty and doubt (FUD) around these issues.
As we’ve seen, the EU privacy changes are proving beneficial. Companies are having to up their game in the way they protect personal data. And vendors have already raised the standards of their contractual obligations to EU enterprise customers.
QUADROtech’s role is to help you migrate your email ecosystem to whatever platform suits your needs, wherever that may be. We’re confident that our contracts and those of our partners will meet whatever the authorities throw at us, now and in the future.