6 October was quite an interesting day for consumer privacy. After 15 years in place, the Safe Harbour agreement was declared invalid by Europe’s highest court, the Court of Justice of the European Union.
Driven by data localisation trends and consumer privacy concerns in the wake of the “Snowden Effect”, the ruling empowers each country in the European Union to set its own consumer privacy rules and regulations.
The court’s decision has complicated implications for U.S. organisations conducting business overseas. In light of Safe Harbour’s invalidation, can international businesses continue to operate as usual?
The Way We Were, and How the Future Is Shaping Up
Back in 2000, Safe Harbour was enacted to expedite the transfer of digital data between companies and international networks. Under the framework, U.S. companies conducting business in the European Union followed one uniform set of E.U. privacy standards, and could transfer data from E.U.-based consumers (like on-site activities and purchase histories) back to U.S. servers. For example, a Parisian could update his or her Facebook profile, and the data could be transferred to one of Facebook’s data centres in the United States.
In recent years, consumer privacy issues have really hit the spotlight. In a post-Snowden world, there is fear that the U.S. government is accessing consumers’ private data, leading to a push for global data localisation. For example, Russia requires data about Russian users to be stored within the country's borders, and now with the Safe Harbour decision, localisation regulations could apply to data about residents of the European Union as well.
As the Court of Justice explains, the 28 countries in the European Union will have individual oversight regarding how companies collect and manage their respective citizens’ data. To add even more complexity, countries in the European Union have widely varying attitudes about privacy. With the invalidation of the Safe Harbour framework, these countries can now create their own privacy rules and regulations.
The Cloud: Holy Grail of Customer Data Management?
This ruling is a potential hit to enterprises conducting business overseas. Why? Global brands will now be required to manage their customers’ data in multiple geographies and navigate a patchwork of rules and interpretations of how consumer data should be stored, managed and used. This could mean building out, securing and managing expensive data centres in multiple countries. For smaller and non-tech companies, on-premises storage and management of consumer data in several regions will be either not feasible or extremely cost-prohibitive.
But it doesn’t have to be all doom and gloom. Now faced with the difficulty and cost of navigating and complying with several potential new privacy rules and regulations overseas, consumer-facing enterprises with international user bases could migrate their customer data from owned and operated on-premises data centres to cloud vendors that already have in place international infrastructures for customer identity data management. This migration could make it easier for these consumer-facing enterprises to comply with new and evolving regulations that may arise following the ruling. Cloud technology is already being adopted rapidly because of its scalability, faster time-to-market and lower costs, and the Safe Harbour ruling will only accelerate that adoption.
Consumer privacy is an incredibly important issue in our post-Snowden era, and we are likely still in the early stages of geographically dispersed regulation. The next iteration of Safe Harbour is already in the works, with E.U. and U.S. officials re-negotiating the details to make it more consumer privacy-friendly.
Importantly, this increased emphasis on privacy doesn't have to be a win for consumers at the loss of businesses, but in order for that to be a reality, organisations will need to rethink how they've been approaching customer data management and consider the cloud.
Patrick Salyer, CEO of Gigya