What The EU’s Safe Harbor Ruling Means For Data Privacy In The Cloud

The European Court of Justice today struck down the 15-year-old data transfer agreement between the European Union and the US. Here’s how to begin to prepare for the fallout.

Michael Fey, President & COO, Blue Coat

October 6, 2015

3 Min Read
Dark Reading logo in a gray background | Dark Reading

The Snowden effect has caused the European Court of Justice to strike down a 15-year-old data transfer agreement, known as Safe Harbor, between the EU and the U.S. that allows multinationals to store Europeans’ data in the U.S. if the companies agree to comply with Europe’s data privacy laws. U.S. corporations with operations in Europe are paying close attention to the ruling, which was announced today, Tuesday, October 6.

This turn of events certainly causes operational angst for thousands of U.S. businesses that, for example, need to understand and act on global trends. Scrapping Safe Harbor restricts the free flow of data organizations rely on, in part, to do mission-critical analysis for business decision-making. While this decision immediately affects EU and companies doing business in EU countries, it will spread. Countries with either follow suit, or “retaliate,” so the expectation is that all companies should be prepared for this to become a much larger issue over time.

Tightening data privacy regulations carry potentially dire consequences for businesses that can’t quickly adapt. In particular, the Safe Harbor ruling puts Cloud Service Providers (CSPs) in a tough spot as they depend on the framework to do business in Europe, specifically using it to authorize them to store data on behalf of European companies and mobile application developers. This will have a large impact on investment and financial performance. Not only will companies need to build new data centers in countries in which data must now reside, but it will impact could providers’ ability to sell services to entire regions.

 As organizations aggressively push cloud adoption, it’s a given that more sensitive and regulated data is ending up in the hands of outside service providers and solutions like SaaS application systems. As a result, recent survey findings show most IT security professionals believe they don’t have full visibility into where all their organization’s sensitive data truly resides. When it comes to dealing with these types of data privacy and residency challenges facing multinationals, the advantage certainly falls to the infosec community and the vendors whose products and services can help businesses manage through regulatory changes like this Safe Harbor case.

Organizations need actionable advice for instituting proactive means and mechanisms to ensure data privacy and regulatory compliance while they run the business – a significant piece of guidance that is lacking from the Safe Harbor legislation. As a starting point, here are five tips for companies to control cloud data and access in light of the Safe Harbor ruling and evolving regulatory landscape:

  • Get visibility into exactly what data is moving outside of your network and where. Discover shadow clouds, inventory (potentially) sanctioned clouds, and determine where all the data centers are and which ones need to get compliant.

  • Take proactive steps to tokenize data to ensure compliance with prevailing EU data privacy regulations. Tokenization is considered by many to be the de facto standard to address data privacy and compliance since tokens have no mathematical relationship to the original clear text sensitive data and no possibility of back doors/trap doors.

  • Try to leverage CSP’s local EU datacenters where you can, but be mindful that Cloud providers often maintain the right to move data between datacenters, and your primary and back up datacenters may be located in different countries/regions.  

  • The regulatory and data privacy landscape will continue to change, so future proof your IT and cloud infrastructure to allow you the flexibility to quickly adapt to evolving regulations, for example, by parsing, anonymizing and encrypting data. As an enterprise, make sure you are taking responsibility for implementing ways to share data in an anonymized fashion that still allows you to get the insights you need without violating individual privacy specifications.

  • When encrypting data, sole physical encryption key ownership and custody are mandatory for data protection. Also make sure that your encryption approach ensures that data is protected in all three phases of the cloud data lifecycle: in transit, at rest and in use.

About the Author

Michael Fey

President & COO, Blue Coat

Michael Fey is Blue Coat's president and chief operating officer. With a proven track record in operational and go-to-market strategies, Fey is focused on driving revenue growth and further extending the reach of Blue Coat in the market. Reporting to Blue Coat CEO Greg Clark, Fey is responsible for aligning the company's leading web security, encryption management, cloud offerings and advanced threat protection solutions with customer requirements. Additionally, he is responsible for field and customer-facing business operations.

Prior to joining Blue Coat, Fey was with the Intel Security Group serving as executive vice president, chief technology officer, and general manager of corporate products. In this role he drove the company's strategic vision and security innovation. Fey also managed business operations and strategy for corporate product business units at McAfee, part of Intel Security. Previously, Fey was senior vice president of advanced technologies and field engineering with McAfee where he oversaw key corporate acquisitions, and engagement with global customer executives and prospects to develop, build, and implement strategic security solutions.
An industry veteran, Fey has held leadership positions with Opsware, Mercury Interactive, and Lockheed-Martin. He graduated magna cum laude from Embry-Riddle Aeronautical University with a Bachelor of Science in engineering physics and a minor in mathematics.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights