alphaspirit - Fotolia

How does data privacy in the cloud change post-Safe Harbor?

Our global enterprise previously transferred data from the E.U. to the U.S. With Safe Harbor struck down, what is the impact on cloud providers and data privacy?

Safe Harbor was an agreement between the United States and the European Union that allowed corporations to store Europeans' end-user data in the U.S., as long as those companies complied with E.U. data privacy laws.

For example, if a U.S. company had operations in the E.U. and did business with E.U. citizens, Safe Harbor would allow that company to store data from the E.U. in data centers located within the U.S. However, on October 6, 2015, the European Court of Justice struck down the Safe Harbor agreement, effectively ending the transfer of data from the E.U. to the U.S.

The end of Safe Harbor poses potential problems for U.S. businesses because data acquired from E.U. operations now must be stored and processed in E.U. data centers. This means a U.S. business will need to build or colocate to data centers within the E.U., or engage the services of public cloud providers with facilities within that geographic region.

The actual business ramifications of this are still unclear. For example, U.S. businesses with global operations may not be able to easily integrate E.U. data into global analytics processes. These potential issues involving data privacy in the cloud can profoundly affect business planning and decision making.

On the other hand, it could turn out to be a nonissue. Large corporations and public cloud providers with global regions such as Amazon Web Services (AWS), Microsoft Azure and Google may be able to continue data transfers because of other binding agreements outside of Safe Harbor. Companies that use large public cloud providers like AWS should see little affect to current business operations. However, smaller businesses that depended on Safe Harbor for legal data transfers may have little choice but to engage public cloud facilities in the E.U. for processing and data storage -- or risk losing access to the E.U. market.

Every business bears direct responsibility for regulatory compliance, but compliance is also affected by the partners and subcontractors that a business engages. This can be particularly problematic for public cloud providers. Although cloud providers typically aren't obligated by the same suite of regulations as their customers, they must demonstrate and maintain adherence to regulatory requirements -- otherwise customers cannot do business with them.

For public cloud providers like AWS, it's just another cost of doing business. But don't rely on providers' websites and promotional materials for compliance assurance. Take the time to perform due diligence, involve the legal or compliance teams to assess a provider's posture on data privacy in the cloud and verify that your business will remain compliant when involving a cloud provider.

Next Steps

How do I replicate data across AWS sites?

How do AWS compliance certifications stack up to Azure?

What's needed to maintain AWS compliance?

Dig Deeper on AWS compliance, governance, privacy and regulations