When the Irish High court referred Schrems v. Data Protection Commissioner to the European Union’s Court of Justice (CJEU), few security experts would have predicted the storm that was about to erupt. What began as a simple question over jurisdiction, turned into a sweeping invalidation of the Safe Harbor framework that had governed data transfers from the EU to the US for well over a decade. In the wake of the CJEU’s decision, US companies handling EU data scrambled to find a suitable replacement for Safe Harbor. Among the solutions were calls for model contract clauses, binding corporate rules, and ideally, a security framework to replace Safe Harbor.
The desire to simplify the data transfer process led to the creation of the Privacy Shield. Like Safe Harbor, the Privacy Shield would allow companies to self-certify on a voluntary basis. However, it placed additional requirements on participants to provide greater transparency as well as accountability with regard to data transfers and imposed sanctions and penalties for non-compliance. Other provisions required the US government to impose “clear limitations, safeguards, and oversight mechanisms” on access to personal data and to refrain from mass or indiscriminate surveillance.
On May 26, 2016, the Privacy Shield was dealt a crippling blow when the European parliament rejected the US proposal, arguing that Privacy Shield did not sufficiently address EU privacy requirements. Days later, the European Data Protection Supervisor determined that “Privacy Shield is not robust enough to withstand future legal scrutiny.” The Article 29 Working Party, European Parliament, and a coalition of EU and U.S. consumer organizations supported the decision and called for more stringent protections against government surveillance of EU data subjects. 
While framers regroup to improve the Privacy Shield, US companies are left with three options for validating the sufficiency of their data security and privacy programs:
- Restrict all processing of EU member data to data centers located in the EU and, where necessary, individual member states.
- Use binding corporate rules to define technical and organizational safeguards for EU-US data transfers and methods of redress for EU data subjects who object to transfers involving personal information.
- Adopt model clauses approved by Article 29 Working Group.
None of the remaining solutions are ideal. In the absence of a framework for determining EU-wide adequacy of their security and privacy programs, US companies will need to validate their programs on a case-by-case basis or silo EU data in member state data centers. Given the legal restrictions on data transfers, some EU-based companies may think that the cloud and SaaS, including SaaS customer communications management (CCM) applications, are more trouble than they’re worth.
While avoiding the cloud might seem like a viable option, the business advantages of cloud computing are so significant that businesses place themselves at a serious disadvantage if they forgo this technology. Moreover, SaaS CCM solutions offer serious advantages over their legacy counterparts. Subscription model pricing means low cost of entry and low monthly payments. Unlike legacy installations, SaaS allow companies to add and drop applications as business needs change. SaaS platforms incorporate workflows and content assets into a single platform, from which business users manage all phases of the content lifecycle using role-based access privileges. The resulting efficiency eliminates data silos, promotes collaboration, and dramatically reduces time to market.
To take advantage of SaaS CCM solutions, EU companies must carefully evaluate both their CCM vendor and their vendor’s strategic partnerships with cloud service providers. When selecting a SaaS solution, EU companies should consider the following factors:
What deployment models are available? Flexibility is key when it comes to deployment of SaaS CCM solutions. Look for a vendor that offers private, public, and hybrid cloud options. Multiple deployment options allow you to retain custody of regulated data, while taking advantage of economical pricing and agility offered by a public cloud for projects that don’t involve personally identifiable information.
Who retains custody of the data? Ideally, your CCM vendor will access personally identifiable data as little as possible. Look for a solution that uses test data in the production environment and make sure that any data transferred to vendor servers is encrypted.
Does the vendor have qualified solutions architects? The vendor should have a team of solutions architects with experience in analyzing the business needs of highly regulated industries, normalizing data to build a single source of truth, and creating master templates that comply with formatting and content requirements.
Who does the vendor use for their cloud service provider? The importance of the cloud service provider cannot be overstated when it comes to selecting a SaaS CCM solution. Look for vendors who have strategic partnerships with secure cloud providers. Some questions to consider when assessing the relationship between your CCM vendor and their cloud service provider:
- Does the cloud service provider have multiple data centers in the EU?
- Has the cloud service provider been certified through third-party security assessments using internationally recognized frameworks such as ISO 27001 and 27018, SSAE 16/SOC 2, and PCI DSS?
- Does the cloud service provider have a data protection agreement that includes model clauses approved by the Article 29 working group?
By conducting due diligence when researching SaaS CCM solutions, EU companies can comply with data protection requirements while taking full advantage of all that the cloud and SaaS have to offer.
This just in!
The aftershocks of the Brexit vote are affecting a sea change when it comes to EU data transfers. After rejecting the Privacy Shield in late May, the EU Commission has approved a revamped version that offers additional security, including safeguards for employee information, protections against tracking of online activity used for targeted advertising, and legal redress for disputes involving the misuse of EU subjects’ personal data. Under the Privacy Shield, an ombudsman will be appointed to resolve disputes involving US spying activities. While tech companies such as Google, Facebook, and Mastercard are applauding the deal, advocacy groups remain concerned over perceived security holes in the renewed Privacy Shield. 
Written By: Heather Havens
Elixir Technologies understands the security needs of highly regulated industries around the globe. To ensure that customer data is protected at all stages of the content life cycle, Elixir partners with Armor, a leading provider of secure cloud solutions with data centers in London and Amsterdam. Armor is ISO 27001 certified and has incorporated EU GDPR standards into its security program.
Looking for a secure SaaS CCM solution? To discover the power of Tango+ request a demo.