Posted 15 October, 2015 • by Mary McCoy
Now that the dust has settled, let's revisit last week's ruling regarding Safe Harbor. In case you're unfamiliar with this international headline, the European Court of Justice ruled invalid a fifteen-year old data transfer pact between the United States and Europe. When former National Security Agency (NSA) contractor Edward Snowden exposed the extent of the NSA's international data surveillance, he created a ripple effect. The result? Public anxiety around data privacy has become cemented in international law. What does this mean for IT service and solutions providers in the U.S. and U.K.? We can't definitively say, but here's a closer look at the situation...
Right now you're probably thinking...but I'm not Facebook or Google. Aren't they the only ones who should be sweating bullets about this? True, the immediate impact will be experienced most by these tech mega-companies, but that doesn't necessarily mean SMBs are in the clear. Most of the coverage you'll read discusses how this decision affects the regulation of "big data." By this I mean the personal data companies collect regarding a person's social media activity or web search and purchase history. With (Un)safe Harbor, there's now uncertainty over whether this data can legally be distributed across the Atlantic. While sure, this is a problem for the Facebooks, Googles, and Amazons of the world, what about all of us who rely on their services to gather lead and client information for subjects outside of our borders? Can a U.S. company seeking to prospect in Europe legally gain access to a U.K. resident's web history to run targeted remarketing campaigns designed to hold their interest? We don't know at this point.
As we already learned in Getting Up to Speed with European Data Privacy Reform, to protect the privacy of citizens, businesses need to obtain consent from those European residents whose personal data they want to track. Additionally, with new changes to the single EU digital standard, all data that identifies an individual, whether directly or indirectly, will now be personal data. This includes IP addresses and pseudonyms. Does that then mean that this data can only be stored and accessed within the confines of the 28 EU member states?
It's also curious that the EU seeks to move to one, unified data regulation standard when this new ruling affecting approximately 4,500 companies establishes the precedent that each individual European country may choose how they regulate US companies' processing of personal data.
While time will tell what comes of this judgment, a few leading publications are already weighing in.
Tech Crunch, for instance, claims "companies will need to restructure their European data processing operations — such as building European data centers to process regional data," adding that "such shifts might require other significant procedural changes in how they manage user data flows." If you're an MSP operating in the U.S. with European clients or a European office, this potential change could be an incredible undertaking, both in terms of cost and time.
The Financial Times also suggests that companies, especially cloud services companies like Amazon Web Service and Salesforce, may increasingly localize with data centers in Europe, potentially leaving SMBs at a disadvantage. In response to their findings, I wonder If AWS expanding its global infrastructure might mean smaller cloud hosting providers may not be able to keep up and MSPs may be forced to migrate to AWS. Think about the supply and demand angle here. If you're AWS and are experiencing a huge influx of businesses demanding your services out of necessity, won't you want to increase your price? Again, this is merely conjecture reflective of the uncertainty the ruling has introduced for businesses of all shapes and sizes.
The Financial Times also draws attention to the millions that smaller EU companies may have to spend to take on "the strenuous task of shifting data held on American computing infrastructure back to Europe, or securing the technical legal agreements to satisfy the new data protection regime."
Then, you have to consider those enterprising IT service providers that seek to take on clients in the U.K. (if they're a U.S. company) and the U.S. (if they're a U.K. company). There's an appeal for some larger U.K. MSPs to serve clients in the United States, since English is the primary language. With the scope of language fragmentation between European countries, targeting the U.S. may be the next logical step for U.K. IT solutions providers wanting to branch out of their territory. With this new data transfer gray area, does that mean that the majority of these businesses will delay expansion indefinitely?
UPDATE via The Register: The data protection authority (DPA) at the German federal state of Schleswig Holstein has stated that any an all attempts to evade the European Court of Justice's judgment will be illegal, claiming "only a change in US law can make US companies compliant with European legislation." Furthermore, violators can expect to pay up to €300,000.
Considering that Safe Harbor was a loophole that enabled U.S. companies to evade the full weight of the European Data Protection Directive via these seven principles, we should expect more resistance to the restriction of the free-flow of data. In fact, we're already witnessing this. According to Business Insider, the US Department of Commerce still plans to carry out Safe Harbor, despite the fact that any arrangements made after the ruling "will not hold any legal weight with European authorities — meaning American companies who choose to take this route are opening themselves up to legal challenges from national regulators." And guess who they're directing further inquiries to, as expressed on their website? The European Commission (EC) or legal counsel. It's only been about a week since the ruling, and already we're facing a tangled mess of international bureaucracy along with business uncertainty.
At a press conference, the EC's justice commissioner Vera Jourová confirmed data-sharing alternatives to practice in the meantime while Safe Harbor negotiations are ironed out. If you're an MSP operating in the healthcare IT vertical, it will behoove you to know that in life or death matters, a patient's medical records "can be transferred internationally in the person’s own interest." Other exemptions include how you can transfer data in order to uphold a contract. Time will tell, but it's likely that more of these workarounds will surface as negotiations continue.
The intent of this blog post was not to sensationalize a juicy news story and ignite public panic, nor was it to express that these are concerns of Continuum's. As a company, our official stance as reported in ChannelE2E's post is this:
“Without any concrete guidelines, it’s too early to assess the full impact of this ruling. We are carefully monitoring the situation. As rulemaking proceeds, we will be assessing what, if any actions may be required by Continuum or its partners to ensure compliance with European regulations.” ~Rob Autor, Senior VP of Global Service Delivery at Continuum ~
European Sales Director Paul Balkwell echoes this sentiment, claiming that "for now, we will wait and see what comes of this latest ruling from Europe's highest court." Continuing, he said "we recognize that many U.K. IT support providers have offices or clients in the U.S. and we'll be sure to update our European partners, should they have cause to worry."
What I hope I've done instead with this article is presented the facts of a timely, relevant tech story and highlighted gray areas that need further defining. Uncertainty is never a good thing in business, and unfortunately, this decision has left a lot of MSPs - both in the U.S. and U.K. - scratching their heads.
Are you one of them? What's your take on last week's judgment? Leave a comment below!
Did you know we're offering RMM in the UK?
Meet Mary! Mary McCoy is a Senior Demand Generation Programs Manager at Continuum, where she's worked for over two years. Mary has consulted with hundreds of partners, lending website, blog and social media support. Before that, she graduated from the University of Virginia (Wahoowa!) with a BA in Economics and served as digital marketing intern for Citi Performing Arts Center (Citi Center), spearheading the nonprofit’s #GivingTuesday social media campaign. Like her school’s founder, Thomas Jefferson, Mary believes learning never ends. She considers herself a passionate, lifelong student of content creation and inbound marketing.