Europe’s dissolution of the framework that made it simple for companies to transport data among data centers in Europe and the US while staying inside the restrictions of European privacy laws has caused a lot of doubt for businesses that function data centers on both parts of the Atlantic.
David Snead, an attorney and co-founder of the Internet Infrastructure Coalition, a US advocacy group whose associates include Google, Amazon, and Equinix, amongst many others, said there were presently two “schools of thought” on the topic.
“One is that Safe Harbor is dead,” he said.” The other, which I think is actually the accurate answer, is that the European Union and the European Commission in particular, need to figure out how to interpret the ruling. It is unrealistic to think that all transatlantic data is going to have to stop as a result of this decision,” Snead added. “The European Commission is likely to figure out a way to accommodate it, and the US is as well.”
The court in Ireland sided with Facebook, citing Safe Harbor. Schrems’s appeal with the EU court resulted in this week’s decision.
“With our EU-approved [Data Protection Agreement] and Model Clauses, AWS customers can continue to run their global operations using AWS in full compliance with EU law,” an AWS spokesperson said in an emailed statement. “The AWS DPA is available to all AWS customers who are processing personal data, whether they are established in Europe or a global company operating in the European Economic Area.”
Other US cloud companies, including Salesforce, Microsoft, and Google, have also taken the model-clause route.
“This is an unfortunate and costly ruling and undermines the long-standing commitment that infrastructure providers have used to implement data protection methods for customer data,” Andreas Gauger, chief marketing officer and co-founder at ProfitBricks, a German cloud services company, said in an emailed statement. “Quality IaaS providers provide customers with secure, cloud-based virtual infrastructure, and are flexible enough to … give customers control over their data, encryption methods, and data transfer methods.”
“Fundamentally, the ruling should be a wakeup call to US Congress that the world still cares about US surveillance activity, and that US needs to continue to show that it respects the privacy of the world’s internet users,” Snead said.
“The conversation shouldn’t be limited to the US, since government surveillance is an international issue”, he added. “The reality is that you want to be safe from any governmental spying. No contract is going to keep the German government from spying on you or compelling your German data center to provide access to them without notifying you.”
“It is important to stop saying internet surveillance is a US government problem, a German government problem, or a Chinese government problem”, Snead said. “This is a global problem, where governments are seeking access to data in ways that users don’t know.”
“The concept of “data transfer” is an old-fashioned one”, Cliff Moyce said,” Today, data is accessed rather than transferred. “Modern systems infrastructures mean that data can be accessed from anywhere,” he said. “The secret to compliance is control of access, not control of ‘transfer.’”