Two long-simmering questions about data residency requirements have been answered, but neither resolution will fully quell cloud providers' lingering uncertainty around international data transfers.
Last week, the European Commission formally adopted the U.S.-EU Privacy Shield to provide legal cover for transatlantic data transfers. Meanwhile, a federal court overturned an order for Microsoft to provide access to a customer's emails in Ireland. Both moves provide a degree of clarity to cloud providers and customers that rely on these global networks of data centers to conduct business around the world, though more challenges lie ahead.
Privacy Shield fills the void left by the dissolution of the Safe Harbor agreement last October and is seen as an improvement for privacy and transparency, though some advocacy groups feel it still doesn't go far enough. It replaces the self-reporting model that 4,500 companies relied on through Safe Harbor with a higher bar for approval and regular reviews of participants' practices by the U.S. Department of Commerce.
The initial agreement on the Privacy Shield framework was reached in February, though there have been several adjustments since, including restrictions on bulk data collection and surveillance by the U.S. government.
CA Technologies, a global software company headquartered in New York, relied on corporate binding rules and worked with customers to update contracts with new clauses to respond to the "legal vacuum" caused by the dissolution of Safe Harbor, said Christoph Luykx, the company's EMEA government relations director.
Questions from CA customers following the end of Safe Harbor have been infrequent or low on the priority list, and mostly came up during specific contract negotiations or renewals. CA didn't have a set of stipulations it wanted to see in the new deal, as long as the framework would reflect the EU Court of Justice's concerns and provide businesses with stability and legal certainty, Luykx said.
Companies can start signing up on Aug. 1, and CA likely will sign up for Privacy Shield after its legal team reviews the full, final text. "We're in safer waters, but it's not smooth sailing, because we do have some more challenges ahead," Luykx said.
Safe Harbor was in place for almost 15 years before it was struck down last fall by the European Court of Justice. The court's ruling was based on an appeal by Max Schrems, an Austrian privacy activist who raised concerns about Facebook's use of customer data. Schrems reportedly plans to appeal Privacy Shield, as well -- but even if he doesn't, industry observers expect some form of legal challenge to crop up in the next couple of months.
Privacy Shield is an improvement from Safe Harbor, but there's still plenty of gray area, and the pending legal fights only add to the uncertainty for cloud service providers and customers, said Duncan Brown, research director for European security practices at IDC.