Three Strategies to Prepare for Stricter EU Data Compliance following Sinking of Safe Harbor Agreement

Featured article By Vidhya Ranganathan, Accellion

With the recent invalidation of the Safe Harbor agreement, US multinational companies will have to revisit how they exchange personal data involving European citizens. Large-scale data access by US intelligence services, enabled by provisions of the US Patriot Act, prompted the European Court of Justice to conclude that US companies could not adequately protect European citizens’ personal data under the terms of Safe Harbor. This decision affects many multinational companies that previously relied on the agreement for transferring data out of Europe and storing it in the US. While this may be a win for privacy advocates, it has left roughly 5,000 companies with the need to quickly rethink how they transfer data between the Europe and the U.S. To make matters worse, companies have just three months to comply with the new ruling.

With a tight deadline and little direction from the EU, US companies need to quickly find a way to demonstrate compliance. Below are three strategies for companies to consider in order to ensure data exchange and storage pass muster with the European Union.

1. Plan internally, be nimble, and communicate

With a mere three months to establish compliance with new data sovereignty requirements, companies like Amazon and Google must begin investing right away in European infrastructure to host their cloud services. This could take several months to achieve and thus the risk of missing the deadline is real. In order to avoid penalties and fines from a slipped deadline, company CIOs, board of directors and executives will need to begin planning and integrating plans through all segments of the business immediately. In addition to acting quickly, companies need to be prepared to pivot as more details come from the EU. To facilitate, companies need to stay informed by monitoring for new developments related to the legislation. Working closely with legal counsel and regulatory experts to stay on top of key developments – and sharing those developments with stakeholders – is a great first step in ensuring that companies are on the right track.

2. Host data directly in the EU

If companies store their European data in the cloud, a good place for IT departments to start is determine exactly how that data is stored, who manages the data, and who else has access to it. Safe Harbor or not, knowing the answers to these questions is a best practice. By hosting data locally in each respective country businesses can comply with data privacy requirements and have more confidence in who is managing and accessing enterprise data. Localized storage solutions can either be hosted or, even better, maintained on-premise. The value in these solutions is that they offer complete data sovereignty, and fully comply with geographic restrictions mandated by the Safe Harbor invalidation.

3. Adjust to the repercussions of current disputes

Though the rejection of Safe Harbor is significant, a bigger threat is if Microsoft loses its long running dispute with the US government over emails stored in an Irish data center. The case revolves around the government’s right to access emails stored on foreign soil, with Microsoft arguing that the United States’ jurisdiction does not extend into Ireland. Should Microsoft lose its appeal, the message will be clear: ownership of the data center, and not ownership of the data, will be the determining factor for government access. That means technology giants like Amazon and Microsoft will have no legal basis for denying access requests from the US government, regardless of whether the data is, or has ever been, held within US borders.

While the Safe Harbor invalidation is causing major concern among companies that exchange information with the EU, a contingency plan to prepare for new compliance measures will serve as a key strategy. By staying up to date on current news, planning internally and seeking alternatives through hosting data directly into the EU via on-premise servers, companies can avoid potential penalties and ensure adequate preparation to meet the new reality of data privacy and compliance.

About Vidhya Ranganathan

Vidhya Ranganathan is Senior Vice President of Products at Accellion, the leading provider of enterprise mobile solutions that enable increased productivity and security. She has more than 20 years of product development and technical leadership experience, with a successful track record of delivering innovative products for companies such as Oracle, Catalina and Ramco. Ms. Ranganathan received her Bachelors in Computer Science and Engineering from National Institute of Technology, India.