The problem with the cloud: The Safe Harbor agreement
The safe harbor provided for personal data from EU countries stored in the US is history: After 15 years, the CJEU (Court of Justice of the European Union) has declared the Safe Harbor agreement to be invalid. The agreement had never contributed much to the safe exchange of data anyway: How safe can a harbor be if, despite good intentions, it never actually conducts any regular, in-depth checks? To protect the archives and storage of corporate data and documents in the cloud, there need to be concrete protective mechanisms — not just good intentions.
Following a complaint submitted by Austrian data protection activist Max Schrems, the CJEU has knocked the Safe Harbor agreement (drawn up between the EU Commission and the US in 2000) down with a single punch. Data protection campaigners are celebrating this as a landmark decision which signals the end of free data transfers to the US without additional European control mechanisms. The Safe Harbor agreement had already been under fire for years. However, without the Safe Harbor agreement, we now need to rethink the movement of data between Germany and the US. This is particularly relevant following the first announcements from government authorities that they will be following up on any violations during this transitional period. Any company that provides or uses cloud services now needs to establish new contractual provisions to guarantee data security. Companies that relied solely on the Safe Harbor agreement when transferring personal data from the EU to the US need to find new alternatives; the sooner, the better. However, the industry association Bitkom points out that “Safe Harbor is not the only way to make sure that the transferal of personal data to countries outside of the EU conforms with the data protection law." There are also the standard contractual clauses issued by the EU Commission, for instance, and the Binding Corporate Rules. However, if you take a closer look at this case, you will see that the CJEU declared the Safe Harbor agreement to be invalid for a number of reasons, one of which being that "the right to privacy, guaranteed by Article 7 of the Charter, would be rendered meaningless if authorities were authorized to access electronic communication." The only option left for companies is to obtain their users’ individual consent to transfer their data — an almost impossible task to manage.
Information map needed
Ultimately, the problem lies less in the American companies. According to data protection requirements, the entity processing the data is responsible, meaning that European companies therefore have to account for data protection when using the cloud services in question. “Check where your data really is,” is what industry expert Dr. Ulrich Kampffmeyer advises users in his article “EuGH kippt Safe Harbor — wohin nun mit den Daten?” (CJEU rejects Safe Harbor — what do we do with our data now?) published on 14 October 2015. As he points out, you may know the primary storage location when using the cloud or when outsourcing typical tasks to data center providers, but you might not be aware of the secondary location and where the data is backed up. According to German and European laws and directives, no important data, e.g. related to tax law, trade law, etc., can be stored on servers in the US. Kampffmeyer argues that this is an unrealistic request in the era of mobile phones and the cloud. "Classifying corporate information by importance and confidentiality (information mapping) is now more important than ever before," explains Kampffmeyer in a to-do list for users. And for cloud providers, his advice is to offer software and storage locations on a regional and local level with backup solutions and corresponding evidence — "a wonderful job" for testers, auditors and certification bodies, says Kampffmeyer.
The digital revolution under threat?
Digital business processes are a must if a company wishes to remain competitive in the current market. Uncertainty about data protection could pose a threat to the much-needed digital revolution in Europe; after all, we also need to protect our own sensitive corporate data from impermissible access. If you ask companies in Germany, Austria and Switzerland why they have been delaying relocating their data to a cloud, preferring to run their own enterprise content management systems, they will often mention data protection and IT security in their arguments. Following the CJEU decision on data protection, they now feel justified in their reservations. However, their concerns are not necessarily justified when it comes to IT security.
Doxis encryption: A secure solution for data protection and IT security
Anyone wishing to utilize the flexibility of a cloud without becoming reliant on external service providers can opt for their own private cloud, and thus establish the highest standards in security. Anyone who does not wish to give up using a public cloud can gain additional security by encrypting their data with Doxis. Encrypting valuable company information is an effective protective mechanism and also makes asynchronous replication in a cloud safer by first encrypting corporate information from the in-house ECM system and then storing the replication on a public cloud. With the Doxis iECM suite, companies can solve both of these problems: guaranteeing the effective protection of personal data, even without the Safe Harbor agreement (data protection), and benefiting from a company-wide, multi-site information management system, without risking unauthorized persons gaining access to sensitive corporate data (IT security). Encrypting data and documents makes them useless to third parties. As a result, Doxis users can always stay on the safe side — even without Safe Harbor!