Safe Harbour: My firm uses Google Docs - what do I do now?

We examine the implications of the European Court of Justice's ruling that Safe Harbour is invalid

Now that the Safe Harbour agreement is no more, many people and organisations will be wondering where that leaves them in their use of US-owned cloud-based services such as Google Docs, Salesforce, Office 365 and Netflix.

What if their business is based on the cloud, or if their website or payment processing systems have been outsourced to a US-owned firm? Ultimately they are responsible for their users' personal or sensitive data so how can they be sure they are compliant? What if there is a breach?

And what about public-sector organisations, who recently have been outsourcing support and back-end services like HR functions to US cloud companies such as Amazon to save money? Do the regulations still apply?

The dust has yet to settle and there are many isues to be worked through by the regulators, but the reality is that the demise of Safe Harbour has not come as a complete surprise, even though the exact timing may have been. What's more, large companies such as Amazon and Google have been building data centres in Europe in anticipation of stronger data privacy laws being passed by the EU. While these are no more safe from the attentions of the NSA than their US-based ones, they are at least compliant with the EU sovereignty rules as they currently stand, provided replicated data also remains within the EU.

The other thing to consider is that Safe Harbour is not the only mechanism for transferring data between the EU and the US. There are also model clauses and binding corporate rules.

"It depends on which mechanism those businesses used to transfer data outside of the EU," says Luke Scanlon, consultant lawyer at Pinsent Masons.

"Particularly for the cloud products they most likely use a different mechanism. Safe Harbour wouldn't be the basis of their ability to provide their services."

That said, all mechanisms for data transfer between jurisdictions are likely to come under increased scrutiny.

"Part of the decision was to discuss the powers of regulatory bodies and how they use their investigatory powers. How often do they investigate breaches in relation to data transfer? That's not on the top of the audit agenda list for a regulator as opposed to something like data security," Scanlon says.

"The question remains open as to the validity of the other mechanisms."

Whatever replaces Safe Harbour (negotiations between the US and the EU are still ongoing), there will have to be a grace period built in to allow the data processing companies to re-engineer their architectures and supply chain. This cannot happen over night. In the interim it is unlikely that consumers of services will see much of a change.

David Smith, deputy commissioner at UK data regulator the Information Commissioner's Office (ICO), said the European Court of Justice's ruling "is clearly significant and it is important that regulators and legislators provide a considered and clear response".

"It does not mean that there is an increase in the threat to people's personal data, but it does make clear the important obligation on organisations to protect people's data when it leaves the UK," he said.

"The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take some time for them to do this."

Smith goes on to say: "We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks."

The advice, it seems, is to sit tight for now.