The European Court of Justice (ECJ) has declared that the 'Safe Harbour' agreement, that allowed data to be freely transferred from the EU to the US, is invalid. This has created uncertainty for many businesses, particularly those who used the agreement to transfer and store customer and company data outside of the EU.
So what does this mean for businesses in terms of storing their data in the future? It is often seen as normal business practice to turn straight to cloud services provided by Google, Amazon and Microsoft for company intranets and business administration. So for those businesses that were using the treaty for legitimate reasons, such as to share staff data via cloud services, or because it’s cheaper to keep data on servers in the US, now is the time to review other methods that enable data storage and transfer.
While guidance from the Information Commissioner - the UK’s Data Protection Authority - is still awaiting release, the initial step would be for businesses to check agreements with their hosting providers to gather an insight as to how they are going to be affected. In terms of employees, customers, and suppliers, consent should be gained via documents such as employment handbooks and terms and conditions to agree on how data will be stored going forward.
If businesses are worried about who may have access to their information, they need to be cautious before using cloud services to host or store any form of data. It’s important to highlight that backup processes can cause the data to be transmitted around the world. What is perhaps more concerning is that the outcome of Microsoft’s appeal to a court ruling required them to hand over data held in Ireland, the location of their data centre there, to US authorities. This could mean any arrangements to replace the Safe Harbour arrangements, which were already under review before the ruling was made, may not be enough. Guidance is awaited, but to be safe, businesses need to counsel caution as the cloud may not be the best place for their data.
In my opinion, the best way for businesses to deal with this would be to immediately review the services they are using. We always advise our clients on the consequences of access to data. As a firm dealing with legally privileged data, we are very cautious about the use of cloud services. Having said this, modern technology is a great enabler to collaborative working and easily sharing data and security wise, so when properly protected, cloud based storage is more secure than email. Security is going to be a big selling point for consumers as they will be largely concerned with how a business stores data going forward, and this is likely to determine whether a customer decides to engage with that company.
By Stephen Attree, managing partner and head of corporate and business services at MLP Law