In early December I was asked to complete yet another CTO survey from an online backup provider asking me to select my preferences for data storage location. The obvious candidates were listed: UK, European Union, USA etc. My first thought was that the backup provider was trying to attract new business following the European Court of Justice ruling in October on Safe Harbour agreements. Safe Harbor has been in operation for the past 15 years allowing US service providers to store data outside the European Union in the knowledge that the service provider has signed up to providing the same standards of care of the data as that legislated in Europe. On 6th October 2015 in the case of Maximillian Schrems v Data Protection Commissioner the European court ruled that even if US companies take adequate protection measures, the US public authorities are not subject to the Safe Harbor guidelines. This puts European citizens’ data privacy at risk to US government surveillance, effectively nullifying Safe Harbor agreements that have been the basis of data between the European Union and US based service providers. Due to this ruling, EU based organisations should ensure that all electronic personally identifiable information is stored within the EU.
This doesn’t mean to say storing information anywhere within the European Union is in itself sufficient, organisations are still responsible for ensuring that the data is secure, kept up-to-date and only stored for only as long as is necessary.