Share this content

How is the Safe Harbor ruling impacting CRM - and how should you respond?

18th Oct 2015
Share this content

Earlier this month, the European high court ruled that the US Safe Harbor – the data sharing agreement between the US and EU – is invalid, a move that has potentially significant implications for enterprises and the Silicon Valley giants that look after their private data.

European firms have been able to keep data on remote systems in the US, under Safe Harbor rules for the last 15 years, but the European Court of Justice ruling means that this is now invalid and must be renegotiated, to keep European citizen's data safe. 

In what may have major implications for CRM users that use US-based hosted services, companies could now face scrutiny from individual European countries' data regulators and may be forced to host European user data in Europe, instead of hosting it in the US and transferring it over.

Safe Harbor is not the only way to transfer data between the EU and the US; there are model clauses and binding corporate rules. But early reports indicate that the ruling is already having an impact on the CRM world, as concerned companies respond to the confusion.

For instance, John Paterson, CEO and founder of Really Simple Systems, has reported a rush of concerned Salesforce CRM customers signing up for his company’s CRM. And he believes that the fall out will continue until there is more clarity on the issue.

In his blog, he writes: “US cloud vendors are in a sticky position. They can try to build hosting infrastructure in Europe, isolated from US access and owned by a European subsidiary. But that will take time, and will still be exposed to US prying if a US court instructs the company to hand over the subsidiary’s data, as is happening to Microsoft. Although the public statements from them assert that it’s “business as usual” and they aren’t affected, behind the scenes there is panic.

Data aggregators that combine and sell user information to advertisers, like Facebook, Google and LinkedIn, will have to split their systems so that EC data is no longer visible to servers in the US, making selling advertising more complicated.

“It’s a mess. But the US has only itself to blame for having sloppy or non-existent data protection laws, zero respect for non-US citizens’ privacy and ignoring the EC’s concerns for a decade. Meanwhile, until the legal position is resolved, EC companies like Really Simple Systems will hoover up European CRM customers, especially those in regulated industries like finance and healthcare where compliance is enforced.”

For its part, the Information Commissioner’s Office (ICO) has called for regulators and legislators to provide a considered and clear response.

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this,” said ICO deputy commissioner David Smith in a statement.

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them.”

The ICO recommends that concerned businesses should check the ICO website for further details over the coming weeks, as it continues to work with its European colleagues to produce guidance.

In the meantime, Marc-Elian Bégin, CEO and co-founder of SixSq, one of the suppliers for the Cloud for Europe project, has provided his thoughts.

What do the changes mean for business?

Bégin says businesses should choose their cloud products and services “very carefully”.

“Enterprises are worried that their data might be used or spied on will want to avoid US-based providers. It is one thing for the EU to rule that US-based companies cannot send user data to the US for processing, but this will take time to implement and enforce.”

Indeed, the US government’s site says it is still continuing to administer the Safe Harbor programme.

“In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor programme, including processing submissions for self-certification to the Safe Harbor framework.  If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.”

Bégin adds that there’s also the Patriot Act, “which potentially allows US authorities to force a European subsidiary of a US-headquartered company to access data hosted in the EU.”

What should businesses do to protect data storage?

Bégin adds that following this, businesses should review their data storage strategy.

They should ensure they understand what is stored where and be clear on data categorisation (e.g. not all data has the same level of confidentiality or privacy), he says.

“Businesses should also challenge providers to be explicit about where their data is and ensure this is reflected in their contract terms. They could also seek expert help to ensure they have their house in order and have considered all options,” he adds.

What security changes are we likely to see in the future for cloud tech?

“At the source of all this is the knowledge that the cloud being ’somewhere out there’ is not acceptable anymore. Users now need to understand exactly what data is where. And this will be a significant challenge for companies mixing and matching services,” Bégin says.

“Cloud technology now more than ever before needs to offer transparency in terms of where applications are deployed and running, what data they access and produce, where it leaves data and what data and what and how to erase data after processing,”

Companies will have to be more involved, Bégin says, and it’s also up to technology developers to make this process easier than it already is - as SixSq itself is finding itself doing.

“We are now working on major improvements to our service catalogues to make selecting a cloud much simpler, safer and clearer. For this, we are teaming up with European cloud providers, research partners and security specialists such as the Cloud Security Alliance.

"Providing application developers with better tools to deal with data (big and small) is another field of development that is keeping us busy.”

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.