Concerned about the recent European Court ruling on Safe Harbor?

03 Nov 2015
Kieron Sambrook-Smith
Chief Commerical Officer

Platform.sh takes you well outside this jurisdiction anyway.

Any EU based organisation who thought their EU originated confidential data was protected if residing on servers located in the U.S., will now be doubting that protection. Any number of agencies may have been able to access all of it. In short, the European Court of Justice (ECJ) has called for the invalidation of the Safe Harbor agreement between the US and the EU, citing that Safe Harbor does not sufficiently protect an EU citizens data that is stored in the U.S. and is hence subject to government surveillance. The ECJ has overturned the Safe Harbor agreement, thus resulting in a potential suspension of data transfer should a particular company not adequately protect user data.

Having done some research into this ruling and plagiarised some clear thinking out there on the web, I have concluded that while this decision does not spell an immediate end for Safe Harbor, it does give regulators the right to investigate and suspend data transfers if they don’t feel the data is significantly protected - potentially a major setback for businesses that want to collaborate across borders (including most eCommerce). Although negotiations between the U.S. and EU are already underway, ahead of any resolution to this current state of uncertainty, I’d like you to consider some of the following prevailing views:

  1. For companies whose business it is to consolidate and analyse data and then sell indirect access to this data, the dissolution of Safe Harbor is problematic as it impacts their core business model.
  2. For Cloud vendors that sell to Enterprises - anywhere in the world - where the focus is on processing and analysing a single customer’s data (versus aggregating multiple customers’ data), it should be less of a problem, assuming that they have built their cloud platform to support multiple cloud instances that can be deployed in local data centres ! This gives customers the option of choosing which data centre they want to use when they sign up for the service. Unfortunately, most cloud vendors who sell to Enterprise have not set up their cloud offering in this way and don’t have multiple data centres throughout the world.
  3. The EU’s ruling has made the cloud very physical by shifting the focus to the physical location in which it is stored and how it is transferred. One sure way that U.S. companies can comply is to only shortlist EU companies that have data centres located in the EU. They should also make sure to understand and meet the data protection laws in each country in which they plan to do business. For example, if a US company plans to have customers in the large German market they should only pick a company providing services based on hosting facilities in data centres located in Germany itself, and owned by a local German entity. It’s next to impossible to meet the German data protection laws’ requirements otherwise.

Platform.sh gives you the flexibility and choice to deploy different applications to specific geographical hosting infrastructures that protect your data according to its required level of security. Please see our web page https://platform.sh/enterprise/on-premises-paas/.