LONDON
Apart from famous Mozart and infamous Hitler, Austria is not known for its oversupply of men who will leave their mark on mankind. Since this week we must add to the list Max Schrems who, with admirable boldness, stamina and single-mindedness, has convinced the European Court of Justice to pull the plug on the charade that the so-called EU-US Safe Harbor agreement was.
For those of you who hear about Safe Harbor for the first time, suffice it to say that it was a cosy arrangement whereby (mainly US) technology firms pretended to ensure their customer data were safe (especially from an increasingly nosy US government) and European governments and companies pretended to believe them.
My advice to my clients: be vigilant. Model clauses are a way to go, but may not be enough. Know what is at risk,
what you can live with and what you can’t. And challenge your cloud vendor.
Tell them that being compliant with their home government is fine, and even
mandatory in many cases, as long as it doesn’t adversely affect you. But one thing's for sure: with this landmark ruling , data privacy in Europe will no longer be the bed of roses it has been for American vendors. Their cost of doing business has clearly gone up one notch.
Apart from famous Mozart and infamous Hitler, Austria is not known for its oversupply of men who will leave their mark on mankind. Since this week we must add to the list Max Schrems who, with admirable boldness, stamina and single-mindedness, has convinced the European Court of Justice to pull the plug on the charade that the so-called EU-US Safe Harbor agreement was.
For those of you who hear about Safe Harbor for the first time, suffice it to say that it was a cosy arrangement whereby (mainly US) technology firms pretended to ensure their customer data were safe (especially from an increasingly nosy US government) and European governments and companies pretended to believe them.
Enter the young Austrian and things will never be the same
again. Although an early and enthusiastic advocate of the cloud, I have
repeatedly warned my Europe-based clients that going with a US cloud vendor now
entails significant data-privacy risks. This does not mean you should stop
considering Salesforce or Workday, but you should be aware of the risks posed
by your employee and customer data being
siphoned off to the US and finding their way to a competitor – or worse. One of the largest European manufacturers, whose only competitor is based in the US, is about to move from SAP HR to a cloud solution (NDA commitments prevent me from mentioning the client's name). It has the option of either sticking with its well-known vendor and adopting SuccessFactors, or picking HR's favorite, Workday (with Cornerstone for LMS.) The option is therefore between a comforting European vendor and two US vendors which could pose a significant risk since this client's business is basically a duopoly between them and the American competitor.
European hero |
Let’s not be naïve. Industrial espionage is a reality and
just like European governments try and help their companies win new markets so
does Uncle Sam. Except that the US government
has at its disposal cutting –edge technology and an arsenal of acts
of Congress that gives it
unparalleled power to do basically what
it wants. If the US government had the moral stature of the Dalai Lama we
probably wouldn’t worry. Unfortunately, trust in the US government (never very
high to start with - remember Nixon, the Criminal-in-Chief of the 1970s?) has
been steadily eroded by the Bush and Obama administrations’ continual assaults
on public freedoms and individual rights.
In Europe, whose contribution to civilization includes the
two most powerful totalitarian regimes of the 20th century, we take
data privacy way more seriously than across the Pond. Hence the Safe Harbor
agreement we insisted on for lack of a better alternative. Except that the
agreement soon turned out not to be worth the paper on which it was written, as
we realized that technology firms’ self-certification didn’t amount to much.
With Safe Harbor now in tatters, we have a unique
opportunity to fix this issue in a more credible way. One key demand of Europe
which must be met is to put an end to America’s extra-territorial laws. Just as
European laws cannot apply in the US, the arm of American law cannot extend
beyond its shores. Facebook/Google/Apple/Amazon/Workday/Salesforce/Microsoft must
NOT be forced by US courts to hand over data stored offshore. (Hats off to
Microsoft for steadfastly refusing to comply with orders to hand over European
customer data) User organizations must insist on their data being stored in
their own region with full guarantees that no access from the US would be
allowed. Of course, this is easier asked for than complied with. If a vendor’s
California-based support technician accesses a European customer’s system to fix an
issue, the data may well find itself replicated
on a US server where it would fall under US jurisdiction. (And careful about that spreadsheet of employee bonuses being emailed from a European office to a manager in the US - that may no longer be legal).
At Cornerstone's Convergence event in London this week, I asked their founder and CEO, Adam Miller about it. He promised they would never transfer European customers' data to the US.
"What if a US court requests you to hand over the data? Will you refuse to comply?"
"We will not hand the data over, because it is not ours. It is our customers'," Adam replied categorically.
I always find it very entertaining to see some SaaS vendors
insist that, during implementation, all customer data to be migrated can only
be sent via a secured, encrypted STP
server, never by email or a thumb drive in order to ensure system integrator (SI) consultants
never have a copy of your data. Well.... Many screens or reports can easily be exported in Excel or PDF format
on a desktop or laptop. No SI checks at the end of the day that their consultants’
laptops are clean. Nor do they prevent external hard drives being hooked up to
their computers.
No comments:
Post a Comment