Keeping your cloud data inside the EU is harder than it seems. Now safe harbor is dead you cannot legally send data outside the EU without negotiating individual contracts with each supplier, and even when data is hosted in the EU you need to consider the risk of the US government demanding access (see Microsoft vs US government)
Does it affect me? If you use any outsourcers at all , then most likely yes. You need to make sure suppliers are looking after your data well.
The easiest thing to do – make sure your data is hosted in Europe, and that all suppliers will process data within Europe.
Here’s 5 ways to protect your cloud information – [[[ RHS in nutshell, make sure every company in your data handling chain is European. ]]]
- Ensure any cloud services you use are European hosted.
- Check where any offsite backups are stored – if with a US firm like amazon make sure the backups are encrypted.
- Check the locations of any suppliers that are processing your data e.g. translation firms, OCR firms, law firms.
- Check off boarding policy – the firm you choose could change location, or the law could change. Make sure there’s a clear off boarding policy, and that it will cope with the large data sets that invariably build up over a few years
- Ideally, make sure that your suppliers are also European owned* – this will give better protection from the US government.
If you have to stick with a US firm or US Hosting then all is not lost – you just need to get the right contract in place. This Field Fisher article on model clauses is interesting.
How does this affect Projectfusion? As a European company we made the decision to switch from US owned data centres in 2013, and now host in the UK for our European clients.
*European firms can of course also be forced to disclosed information under Mutual Legal Assistance Treaties, but an MLAT request would require international co-operation, and could not be done secretly.