Implications EU Safe Harbor Ruling - Your Next Steps
“The verdict of the European Court of Justice is a strong signal for more data protection and greater protection of privacy in a globally connected world.” So said Heiko Maas, German Justice Minister, commenting on this week’s ruling by the European Court of Justice. By way of background: since 1995, the so-called “Safe Harbor” rules have allowed US companies to transfer data from Europe to the US for processing. The assumption is that US companies have adequate security measures in place to protect that data – an assumption that was challenged by the now infamous privacy activist, Edward Snowden. Snowden’s revelations triggered a spate of actions from others concerned with data privacy, including Max Schrems, an Austrian student, whose 2012 term paper on Facebook's lack of awareness of European privacy law would ultimately lead to a lawsuit going all the way to the highest court in the European Union. This week, the court pronounced its verdict, striking down EU Directive 95/46/EC on the protection of personal data and forcing global organizations to rethink their policies and procedures for data transfers, storage and archiving.
So what now?
In time, the US and Europe will negotiate a new framework for data transfers between Europe and the US. In the meantime, here are five critical factors, affecting your corporate data, that your organization should be thinking about:
- Does my organization house data for EU users on EU-based servers? If not, have my users been notified that their data is housed on US-based server?
- Do I know what data my organizations houses “off shore”? This includes email server databased, SharePoint servers and file servers.
- How is my Cloud infrastructure configured? Do I have a U.S. and an E.U. Cloud? Does my organization have policies in place that define which user data is stored in which Cloud geographic location?
- Do I have email hosted by Microsoft Office 365? Where is that data physically located?
Do I know where and how corporate email is archived? Is it in one location (U.S. or E.U.) or is it distribute (multiple archives in different geographic locations)? Do I have policies in place that control the access of my E.U—based archives by U.S.-based humans or applications?