Now that the dust has settled, let’s revisit last week’s ruling regarding Safe Harbour. In case you’re unfamiliar with this international headline, the European Court of Justice ruled invalid a fifteen-year old data transfer pact between the United States and Europe.
When former National Security Agency (NSA) contractor Edward Snowden exposed the extent of the NSA’s international data surveillance, he created a ripple effect. The result? Public anxiety around data privacy has become cemented in international law. What does this mean for IT service and solutions providers in the U.S. and U.K.? We can’t definitively say, but here’s a closer look at the situation…
[easy-tweet tweet=”Public anxiety around data privacy has become cemented in international law” user=”followcontinuum” hashtags=”data”]
Is There a Trickle Down Effect?
Right now you’re probably thinking… but I’m not Facebook or Google. Aren’t they the only ones who should be sweating bullets about this? True, the immediate impact will be experienced most by these tech mega-companies, but that doesn’t necessarily mean SMBs are in the clear. Most of the coverage you’ll read discusses how this decision affects the regulation of “big data.” By this I mean the personal data companies collect regarding a person’s social media activity or web search and purchase history. With (Un)safe Harbour, there’s now uncertainty over whether this data can legally be distributed across the Atlantic. While sure, this is a problem for the Facebooks, Googles, and Amazons of the world, what about all of us who rely on their services to gather lead and client information for subjects outside of our borders? Can a U.S. company seeking to prospect in Europe legally gain access to a U.K. resident’s web history to run targeted remarketing campaigns designed to hold their interest? We don’t know at this point.
Social and browsing data aren’t the only examples of “personal data” as defined by the EU…
As we already learned in
It’s also curious that the EU seeks to move to one, unified data regulation standard when this new ruling affecting approximately 4,500 companies establishes the precedent that each individual European country may choose how they regulate US companies’ processing of personal data.
The Community is Buzzing!
While time will tell what comes of this judgment, a few leading publications are already weighing in.
Tech Crunch, for instance, claims “companies will need to restructure their European data processing operations — such as building European data centres to process regional data,” adding that “such shifts might require other significant procedural changes in how they manage user data flows.” If you’re an MSP operating in the U.S. with European clients or a European office, this potential change could be an incredible undertaking, both in terms of cost and time.
The Financial Times also suggests that companies, especially cloud services companies like Amazon Web Service and Salesforce, may increasingly localise with data centres in Europe, potentially leaving SMBs at a disadvantage. In response to their findings, I wonder If AWS expanding its global infrastructure might mean smaller cloud hosting providers may not be able to keep up and MSPs may be forced to migrate to AWS. Think about the supply and demand angle here. If you’re AWS and are experiencing a huge influx of businesses demanding your services out of necessity, won’t you want to increase your price? Again, this is merely conjecture reflective of the uncertainty the ruling has introduced for businesses of all shapes and sizes.
What about for U.K. MSPs and MSPs Considering International Expansion?
The Financial Times also draws attention to the millions that smaller EU companies may have to spend to take on “the strenuous task of shifting data held on American computing infrastructure back to Europe, or securing the technical legal agreements to satisfy the new data protection regime.”
Then, you have to consider those enterprising IT service providers that seek to take on clients in the U.K. (if they’re a U.S. company) and the U.S. (if they’re a U.K. company). There’s an appeal for some larger U.K. MSPs to serve clients in the United States, since English is the primary language. With the scope of language fragmentation between European countries, targeting the U.S. may be the next logical step for U.K. IT solutions providers wanting to branch out of their territory. With this new data transfer grey area, does that mean that the majority of these businesses will delay expansion indefinitely?
Should We Expect any Loopholes?
The data protection authority (DPA) at the German federal state of Schleswig Holstein has stated that any an all attempts to evade the European Court of Justice’s judgment will be illegal, claiming “only a change in US law can make US companies compliant with European legislation.” Furthermore, violators can expect to pay up to €300,000.
Considering that Safe Harbor was a loophole that enabled U.S. companies to evade the full weight of the European Data Protection Directive via these seven principles, we should expect more resistance to the restriction of the free-flow of data. In fact, we’re already witnessing this. According to Business Insider, the US Department of Commerce still plans to carry out Safe Harbour, despite the fact that any arrangements made after the ruling “will not hold any legal weight with European authorities — meaning American companies who choose to take this route are opening themselves up to legal challenges from national regulators.” And guess who they’re directing further inquiries to, as expressed on their website? The European Commission (EC) or legal counsel. It’s only been a short time since the ruling, and already we’re facing a tangled mess of international bureaucracy along with business uncertainty.
[easy-tweet tweet=”It’s only been a short time since the ECJ #safeharbour ruling, and already we’re facing a tangled mess of international bureaucracy” user=”followcontinuum” usehashtags=”no”]
Are there any other exceptions that are legally upheld?
At a press conference, the EC’s justice commissioner Vera Jourová confirmed data-sharing alternatives to practice in the meantime while Safe Harbor negotiations are ironed out. If you’re an MSP operating in the healthcare IT vertical, it will behoove you to know that in life or death matters, a patient’s medical records “can be transferred internationally in the person’s own interest.” Other exemptions include how you can transfer data in order to uphold a contract. Time will tell, but it’s likely that more of these workarounds will surface as negotiations continue.
The intent of this blog post was not to sensationalize a juicy news story and ignite public panic, nor was it to express that these are concerns of Continuum’s. As a company, our official stance as reported in ChannelE2E’s post is this:
“Without any concrete guidelines, it’s too early to assess the full impact of this ruling. We are carefully monitoring the situation. As rulemaking proceeds, we will be assessing what, if any actions may be required by Continuum or its partners to ensure compliance with European regulations.”
Rob Autor, Senior VP of Global Service Delivery at Continuum
As European Sales Director, I echo this sentiment. For now, we will wait and see what comes of this latest ruling from Europe’s highest court. We recognise that many U.K. IT support providers have offices or clients in the U.S. and we’ll be sure to update our European partners, should they have cause to worry.
What I hope I’ve done instead with this article is presented the facts of a timely, relevant tech story and highlighted gray areas that need further defining. Uncertainty is never a good thing in business, and unfortunately, this decision has left a lot of MSPs – both in the U.S. and U.K. – scratching their heads.
Are you one of them? What’s your take on last week’s judgment? Leave a comment below!