You are here


After EU Safe Harbor Is Struck Down, What Next?

Posted by Yorgen Edholm

On Tuesday, October 6, 2015, the European Court of Justice, the highest court in the European Union, struck down the Safe Harbor agreement that enabled organizations, including leading tech companies such as Google and Facebook, to transfer personal data from Europe to the United States without violating European data privacy rules.

The court pointed out that, because the USA Patriot Act gives U.S. intelligence agencies free access to personal data held by U.S. companies regardless of where the data is physically stored, the Safe Harbor agreement does not adequately protect the privacy rights of European citizens. Accordingly, the court struck down the Safe Harbor agreement, which had been in place since 2000 and adopted by well over 3,000 American and European companies.

The court’s ruling – which cannot be appealed – affects every multinational company that transfers personal data, even payroll data, from Europe to the United States. The ruling also affects all cloud service companies, such as Box, Facebook, and Google, that routinely store the personal data of European citizens in U.S. data centers.

Without Safe Harbor, an organization may need to negotiate separate agreements with each European country whose citizens’ data it is storing and managing. The safest way to comply with European data privacy laws may be to host data locally—German data in Germany, French data in France, and so on.

Are EU Model Contracts an Alternative?

Microsoft and a few other companies have sought an alternative to Safe Harbor by striking separate contracts with European countries regarding the transmission and storage of personal data. These contracts are not necessarily invalidated by last Tuesday’s ruling, but they may eventually be struck down for the same reason—namely, that the agreements fail to protect the personal data of European citizens from inspection by U.S. intelligence agencies and deprive European citizens of any recourse to how their data is accessed.

Brian Hengesbaugh, a privacy lawyer who helped to negotiate the original safe harbor agreement, shared his assessment with the The New York Times: “we can’t assume that anything is now safe. The ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”

The Advantage of Private Clouds

Europeans have long been concerned about data privacy. The European Union’s Data Protection Directive (Directive 95/46/EC), which establishes the right of individuals to know who is collecting their data and how that data is being used, was passed twenty years ago, in 1995. A more recent directive proposed in 2012 attempts to update that earlier directive to account for social networks and cloud services in a globalized economy.

Laws change, but an option that has always been available to companies that want to control access to their data is to use private clouds. Private clouds are cloud services that offer the scalability and flexibility of public cloud services, while enabling a company to maintain full control over its data and services, which are hosted in its own internal data centers.

As a result of the European Court of Justice’s ruling, many people on both sides of the Atlantic expect more companies with operations in Europe to adopt private clouds.

kiteworks: Secure Content Management in Private Clouds

The Accellion kiteworks secure content management platform was designed from the start to be a private cloud solution. Although Accellion also supports public and hybrid cloud deployments, 80% of Accellion’s customers utilize a private cloud solution, and in fact the number is closer to 90% in EMEA. Accellion already has many customers based in EMEA or global organizations with EMEA offices that take advantage of Accellion's on-premise, private cloud capabilities that assure data sovereignty.

Any company interested in managing its content in a secure private cloud environment should consider adopting kiteworks to support secure content management and file sharing while complying with local data privacy directives.

For more information about how Accellion can help companies respond to the Safe Harbor ruling, please visit: