Friday, October 9, 2015

Burying the bad, sad joke of Safe Harbor and what it means for cloud users and vendors

LONDON

Apart from famous Mozart and infamous Hitler, Austria is not known for its oversupply of men who will leave their mark on mankind. Since this week we must add to the list Max Schrems who, with admirable boldness, stamina and single-mindedness, has convinced the European Court of Justice to pull the plug on the charade that the so-called EU-US Safe Harbor agreement was.

For those of you who hear about Safe Harbor for the first time, suffice it to say that it was a cosy arrangement whereby (mainly US) technology firms pretended to ensure their customer data were safe (especially from an increasingly nosy US government) and European governments and companies pretended to believe them.

Enter the young Austrian and things will never be the same again. Although an early and enthusiastic advocate of the cloud, I have repeatedly warned my Europe-based clients that going with a US cloud vendor now entails significant data-privacy risks. This does not mean you should stop considering Salesforce or Workday, but you should be aware of the risks posed by your employee and customer  data being siphoned off to the US and finding their way to a competitor – or worse. One of the largest European manufacturers, whose only competitor is based in the US, is about to move from SAP HR to a cloud solution (NDA commitments prevent me from mentioning the client's name). It has the option of either sticking with its well-known vendor and adopting SuccessFactors, or picking HR's favorite, Workday (with Cornerstone for LMS.) The option is therefore between a comforting European vendor and two US vendors which could pose a significant risk since this client's business is basically a duopoly between them and the American competitor.

European hero
Let’s not be naïve. Industrial espionage is a reality and just like European governments try and help their companies win new markets so does Uncle Sam. Except that the US government  has at its disposal cutting –edge technology and an arsenal of acts of  Congress that gives it unparalleled  power to do basically what it wants. If the US government had the moral stature of the Dalai Lama we probably wouldn’t worry. Unfortunately, trust in the US government (never very high to start with - remember Nixon, the Criminal-in-Chief of the 1970s?) has been steadily eroded by the Bush and Obama administrations’ continual assaults on public freedoms and individual rights.

In Europe, whose contribution to civilization includes the two most powerful totalitarian regimes of the 20th century, we take data privacy way more seriously than across the Pond. Hence the Safe Harbor agreement we insisted on for lack of a better alternative. Except that the agreement soon turned out not to be worth the paper on which it was written, as we realized that technology firms’ self-certification didn’t amount to much.

With Safe Harbor now in tatters, we have a unique opportunity to fix this issue in a more credible way. One key demand of Europe which must be met is to put an end to America’s extra-territorial laws. Just as European laws cannot apply in the US, the arm of American law cannot extend beyond its shores. Facebook/Google/Apple/Amazon/Workday/Salesforce/Microsoft must NOT be forced by US courts to hand over data stored offshore. (Hats off to Microsoft for steadfastly refusing to comply with orders to hand over European customer data) User organizations must insist on their data being stored in their own region with full guarantees that no access from the US would be allowed.  Of course, this is easier asked for than complied with. If a vendor’s California-based support technician accesses a   European customer’s system to fix an issue,  the data may well find itself replicated on a US server where it would fall under US jurisdiction. (And careful about that spreadsheet of employee bonuses being emailed from a European office to a manager in the US - that may no longer be legal).

At Cornerstone's Convergence event in London this week, I asked their founder and CEO, Adam Miller about it. He promised they would never transfer European customers' data to the US.
"What if a  US court requests you to hand over the data? Will you refuse to comply?"
"We will not  hand the data over, because it is not  ours. It is our customers'," Adam replied categorically.

I always find it very entertaining to see some SaaS vendors insist that, during implementation, all customer data to be migrated can only be  sent via a secured, encrypted STP server, never by email or a thumb drive in order to ensure system integrator (SI) consultants never have  a copy of your data. Well.... Many screens or reports can easily be exported in Excel or PDF format on a desktop or laptop. No SI checks at the end of the day that their consultants’ laptops are clean. Nor do they prevent external hard drives being hooked up to their computers.

My advice to my clients: be vigilant. Model clauses are a way to go, but may not be enough.  Know what is at risk, what you can live with and what you can’t. And challenge your cloud vendor. Tell them that being compliant with their home government is fine, and even mandatory in many cases, as long as it doesn’t adversely affect you. But one thing's for sure: with this landmark ruling , data privacy in Europe will no longer be the bed of roses it has been for American vendors. Their cost of doing business has clearly gone up one notch.

No comments:

Post a Comment