This week the European Court of Justice has ruled that the EU-US Privacy Shield agreement is no longer valid, with immediate effect. The Privacy Shield was an agreement from 2016 between the US and the EU (and later Switzerland) which allowed companies to process the data of EU consumers inside the US without falling foul of GDPR privacy laws. GDPR only allows personal data to leave the EU if the data will be safeguarded to EU standards wherever it’s going, and Privacy Shield was a way for US companies to demonstrate compliance.
With Privacy Shield gone, every organisation that handles personal data needs to urgently re-evaluate where the data they collect on EU individuals is processed and take steps to make sure they’re still compliant.
More information on the BBC News site
At Ampliphae we help companies manage all the various risks that come with the use of SaaS – making sure that the benefits of SaaS are balanced against risks that are often hidden from users. One of the critical risks we regularly see is the potential to violate privacy laws including GDPR. With SaaS, the vendor relationship is very different from classic software – instead of bringing software into your organization from a vendor, you push your data (and that of your customers and employees) out into the hands of the vendor. In the process, you place enormous trust in every SaaS vendor you work with – because you are still responsible for complying with privacy laws.
Our analysis of customer SaaS application usage suggests that over 80% of traffic to SaaS applications can be into the US.
This is not surprising, as the US still drives so much innovation – but it means even companies that are EU-resident and only deal with EU consumers could very easily experience problems with GDPR now that Privacy Shield is gone.
So, what can you do to ensure that you remain compliant? It’s not realistic or desirable to move completely away from US-based SaaS applications, but you need to mitigate the compliance risk. In the short term, you can fall back on standard contractual clauses (known as SCC in the jargon of data privacy) which effectively means that the US company has agreed in the contract with you to treat the data you give them properly. The European Court of Justice held back on blocking the use of SCCs, although privacy campaigners in the EU are working hard to get these invalidated too, arguing that they are unenforceable under US law. To make use of SCCs you will need to go through the detailed contract with each of your suppliers to make sure the terms exist. With SaaS, in many cases that contract consists of a click-through EULA.
When you signed up for that SaaS Application did someone in your organisation read the EULA and consider the risk when they signed up for the service?
In the longer term, it seems likely that EU based organisations will need to take a close look at every SaaS vendor, ensuring vendors make use of Cloud infrastructure physically located inside the EU, and ensuring those vendors keep their data within those geographic boundaries over the longer term.
There’s no doubt that SaaS-delivered enterprise apps will form a core element of your application strategy going forward – the overall cost of ownership, flexibility and access to innovation make them compelling.
However, you need to balance the very real risks of SaaS against the benefits, and with users empowered to make independent decisions about SaaS, that can be a challenging task.
The automation offered by Ampliphae’s SaaSGuard products will help you get arms around the SaaS risk challenge and ensure that you don’t end up scrambling to react when the environment changes. Geographic location and security standards compliance are just two of the risks we can help you manage.