Safe Harbour Agreement: Does Your European HR Data Stand Naked After a Court Case Exposed the Emperor’s New Clothes?
It’s very early days, but this court ruling, triggered by a complaint about facebook, has the potential to be pretty disruptive for global HR systems, so worth considering it’s implications now.
This blog article is meant to be a conversation starter and does not constitute legal advice in any form.
Basically, following a complaint from an Austrian citizen, the European court of justice confirmed, what this citizen claimed – and most people knew anyway all along even before Edward Snowden’s relevations: data privacy in the US is on a lower standard than in the EU. So, no surprises there. But as with the original “The Emperors’ new Clothes” story, a truth known and a truth spoken can be two completely different beasts.
So far, the so called Safe Harbour agreement between the EU and the US, allowed (under certain conditions) to work on the assumption that the protection of personal data in the US is the same as in the EU for legal purposes – to put it simply.
The recent ruling has effectively invalidated the Safe Harbour agreement:
What’s the impact on companies using HR solutions from SAP?
If you keep personal data of employees from the EU on your own or hosted server within the EU, there’s no problem. For SuccessFactors customers, SAP offers several data centres within the EU and as most EU customers insisted on these data centres so far, those are safe as well (same is true for Concur). But to be safe: if you are not sure, where your data centre is, check it with SAP.
Customers using further hosted or cloud based solutions should check those as well regarding the data storage location.
I guess it gets interesting for global organisations. So far, US based corporates would usually have stored data of European employees on their own US based servers or in SuccessFactors’ US datacentres. Will they be able to continue doing so, if they gain permission from employees? And would it be legal to make this permission part of employment contracts?
Or will Eurocrats in Brussels oblige and come up with a successor of Safe Harbour to allow business as usual?
I don’t know. Probably nobody really knows. Fact is that here’s a risk for many organisations’ HRIS strategies and it affects SAP cloud solutions no more than on-premise (it may actually be worse for other cloud vendors, if they can’t guarantee EU data centres).
Will this data privacy challenge actually end up driving cloud adoption?
Data privacy concerns so far have been perceived as a barrier to cloud adoption – rightly or wrongly: this shall not be discussed here.
However, if this new challenge – together with the new regulation in Russia in force since 1st September 2015 and similar rules across the globe – leads to the requirement of some kind of geographically distributed storage of personal data in future, then I see cloud solutions actually much better positioned to deal with it than individual organisations with their on-premise systems. Most notably for cloud vendors with a strong global data centre infrastructure like SuccessFactors.
So, I wouldn’t be surprised, if this situation rather than slowing down cloud adoption, as data privacy concerns did so far, ends up pushing it.
It would be interesting to hear your take on it.
- How are your organisations responding?
- Maybe some of you even had contingency plans in place for this not-so-black swan?
- Has the recent similar requirement from Russia helped to be prepared for this?
Great stuff Sven; very interesting, I had not think this far yet.... Heard it on the news prior to the weekend but did not extrapolate it to SAP.
In Russia, Employee data must stay in the confederation.... if EU regulate toward rapatriating employee data to its own sovereign territory and it ends on generating local regulation in every countries (US might want to level up) on a global scale that could lead to an interesting puzzle for global companies.
it would indeed. Vendors might be able to provide split data centres for significant extra cost and complexity, but I just don't see how you can run reporting or any global process without uniting the data at least temporarily in one place. Hopefully I'm just not clever enough to see the solution....
Maybe data centres on neutral territory - like Mars - are the answer? 😛
Safe Harbor, as Sven correctly points out, was always more of a fig leaf that allowed the transfer of personal data to the US based on assumptions that the ECJ has now ruled are false. Signing the Model Contract Clauses (MCC) does little to resolve that, since these clauses contain significant exceptions for legal requests - in other words, US laws apply.
But the core issue is not so much that US privacy standards are lower than EU standards, but that US courts insist that US laws apply to data stored by US companies anywhere in the world. This is what the Microsoft vs the US government case currently before the US Supreme Court is about: do US laws apply to data stored by Microsoft in Ireland? MS argues that EU laws apply, but has so far lost the argument in all lower courts.
If the Supreme Court rules against MS, then MS will be forced to apply US laws on their data centers abroad. This would apply to all US companies. But, it goes further: even European companies like SAP have subsidiaries that are incorporated in the US under US laws, and which would be forced to apply US laws.
So having your personnel data stored in a EU-based data center is NOT a guarantee that US laws will not be applicable. I sincerely hope that in (re-)negotiating the successor to Safe Harbor, the EU will force the US to recognize and accept that US law does NOT apply in the EU.
Staying in Eelco Essenberg's picture: seems the fig leave has been replaced by a banana leave now 😥