Safe Harbor and the EU – what you need to know about your IaaS cloud computing provider

ProfitBricks started as a German company, meaning that we need to play by German rules and laws. So while we have a strong presence in the States and even operate out of a datacenter in Las Vegas, our data security and privacy philosophy are steeped in “Datenschutz”. That is, it’s steeped in German data protection laws (Datenschutz), which are even stricter than those of the European Union. EU Flag

Until now, for most American companies, this didn’t mean all that much. Sure, data protection is important, but whether we met EU standards or US standards mattered little to most users.

ECJ Safe Harbor Ruling

That changed this week when the European Court of Justice ECJ issued a binding ruling that the “Safe Harbor” agreement is now illegal – ending the protection that thousands of US and EU companies used to protect EU citizen data since the year 2000.

In short, this ruling made the cloud very physical by focusing not just on the integrity of the data, but on the physical location in which it is stored and how it’s transferred.

This means that EU companies and EU subsidiaries of US companies of all sizes must find an alternative mechanism for their data transfers to the US. They need to dig into their IaaS contracts and understand where data resides and how it moves.

US Companies with EU and German based customers

One sure way that US companies with customers/users/partners located in the EU can comply is to only consider signing an agreement with an EU company that has data centers located in the EU. They should also make sure to understand the data protection laws in each country in which they plan to do business to ensure that their infrastructure meets local requirements. If these US companies plan to have customers in the large German market they should only pick a company registered in Germany with data centers in Germany itself. It’s important to note that it’s next to impossible to meet the Datenschutz (German data protection laws) requirements without signing an agreement with a German company. Signing an agreement with an IaaS provider registered anyplace else in Europe will not meet the requirements, especially if the IaaS provider has a parent within the US.

This pain for most companies will be short-lived. The government bodies and politicians will eventually come to an agreement because the digital economy and transatlantic digital industry is so large and important that it’s not going to come to a complete halt just because of the ruling.

Current status

This is an unfortunate, and costly ruling, and undermines the long-standing commitment that infrastructure providers have used to implement data protection methods for customer data. Quality IaaS providers provide customers with secure, cloud-based virtual infrastructure and are flexible enough to run the tools and software defined networking architectures that give customers control over their data, encryption methods and data transfer methods. ProfitBricks, Inc., is also a founding member of the Internet Infrastructure Coalition – which is supporting the Judicial Redress Act, a bill that provides European citizens the same privacy protections given to U.S. citizens under U.S. law.

At this time, we encourage US companies that are transferring EU citizen data and or have customers or prospects in the EU and Germany to look for IaaS provider, like ProfitBricks GmbH, that is registered in Germany and that has data centers in Germany.