EU ruling finds Safe Harbor agreement unfit for purpose – what does this mean for your data?
We’ve been having conversations internally, with customers and suppliers about the recent EU ruling on the Safe Harbour agreement for moving data between the EU and the US.
For those of you that missed the recent ruling, the Court of Justice of the European Union (CJEU) found that the US Safe Harbor rules did not meet the requirements of the Data Protection Directive. The regulation is still in consultation and with the adoption date at the end of this year, there could well be some movement and further guidance provided.
The ruling presents global companies with a bit of a problem as to whether they should continue to share EU data with US organisations and services. This presents significant issues for over 4,500 companies including global cloud based file exchange platforms such as Dropbox, Box, Google, Amazon and others. Data residing on European servers is automatically and systematically, copied to US data centres for redundancy and backup requirements.
What’s wrong with this I hear you ask? Well the underlying issue being that the US Patriot Act takes supremacy for any US company, which essentially means that they have access to any data on US soil that they want to access. European businesses rightly need to consider whether their data should continue to exist in a cloud based solution, provided by a US company. The alternative is to secure their data, with an on premises/private cloud solution, where control and access to encryption & security keys is held by the data owner. This applies to many different business critical applications – and probably represents the only real way of combating the Patriot Act.
Our internal discussions were naturally focused around on premise managed file transfer solutions, and we’ve concluded that they are not directly affected. Safe Harbour is focused on the storage and governance of data, when it has reached the US. Therefore it is down to the data controllers to ensure that there are appropriate contracts and audited processes in place between two ‘trading entities’, to maintain the security of the data stored outside the EU.
Fundamentally, if you’re using a US owned cloud based system you have no control over the governance of your data. Implementing a managed file transfer system allows you to have the control over your data at all times, whether installed in a private cloud or on premises. Typical managed file transfer features such as data sanitisation, help with the management of the data and with logging and reporting central to MFT, you’ll have a complete audit of who accessed your file, at what time and from where.
Managed file transfer is the ideal tool to for EU organisations to address current concerns, and also be ready for the changes to General Data Protection Regulation (GDPR).
In general all the procedures for handling data, access to the data, removal of old data and even the onward transmission of data should be covered in contracts, agreements or procedures between the EU and US ends of the transmission.
It is our recommendation that businesses should immediately review their data sharing practices, including use of US cloud sharing services like Dropbox, ensuring they are well placed to act when the final ruling is made public.
If your organisation is using a cloud based data sharing solution and you’re concerned about the governance of your data, your options include an on-premises solution, a private/hybrid cloud offering, or extending your existing solution to meet these needs. Speak to one of our friendly MFT specialists, for independent, expert advice by calling 0333 123 1240 or get in touch here.