European companies have to rethink their cloud strategy, and fast, after the European court of justice dealt a blow to the Privacy Shield agreement. An open letter by Tobias Gerlinger, CEO, ownCloud.
After the European court of justice ruled invalid an agreement between the EU commission and the US government called privacy shield, European companies now face fines for infringing on data privacy rights when they process and store user data with US companies.
The consequences of invalidating Privacy Shield
Yet only a few companies have pledged to change their processes, which is a bit surprising since the ruling was handed down in July. It has swept away any legal basis for storing and handling their European users’ personal data in data centers run by US providers, even if the actual facilities involved are located on European soil. And since the EU and the US are unlikely to come up with a quick new agreement that also addresses the courts’ misgivings about the late Privacy Shield and Safe Harbor, companies would be well-advised to take a hard look at their cloud strategies. Even the Irish data privacy regulator, not known as particularly unsympathetic towards US tech giants, has ordered Facebook to stop transferring user data from the EU to the US.
What companies could do now
There are roughly three paths forward for companies that use US clouds. One is to present all their users with a comprehensive consent form to allow the processing and transfer of their personal data and pray that all relevant users will sign. Or they can heavily encrypt data before transferring, which makes them impractical and borderline impossible to process in US clouds. Also, it is hard to know exactly which level of encryption government agencies can crack, and at what cost meaning at what scale. The third and, by our reckoning, most sustainable way is to, at least for personal data storage and processing, avoid US clouds altogether and use private clouds or on-premises storage instead.
As a first step however, companies need to face up to the fact that the legal basis has shifted and to what that means for their handling of personal data. They need to identify risks and vulnerabilities, and draw up plans both for the short and the long term.
In the long term, choose sovereignty
In the long term, shifting processing and storage into the EU or places with legally adequate protection is without real alternative. As a quick win, companies can start by relocating at least the most sensitive data from public clouds run by US providers into secure private clouds. For example, public cloud storages can be supplemented with fully compliant private cloud storage, as in a hybrid cloud, instead of before replacing public cloud storage completely. Through the ownCloud integration with Microsoft office online server, this has no downside in functionality and usability for users accustomed to Microsoft office.
To run these kind of private cloud environments themselves, companies need to have some sort of IT department, of course. Fortunately for those who haven’t, they are shortcuts like managed services and managed hosting to run private clouds efficiently on-premises or in secure shared environments.
The courts decision for more digital sovereignty makes clear that the political landscape has shifted towards European independence from US tech giants. Both European companies and public administrations would be well advised to check their cloud infrastructure to make sure it is in accordance with the current regulatory framework brought about with legislation like GDPR. Private cloud storage is a keystone for these forward-looking kinds of cloud strategies.