EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU.
The Safe Harbor Agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.
In a two-year-old case forced to the EU’s highest court by Austrian privacy campaigner Max Schrems, the EUCJ ruled that the European Commission’s trans-Atlantic data protection agreement that went into force in 2000 was invalid because it does not adequately protect consumers in the wake of the Snowden revelations.
The big data handling firms (Google, Microsoft, Amazon, Facebook etc.) and cloud providers are having to rely on “model contract clauses” for the time being to authorize the transfer of data outside of the EU. Despite being standard and essentially fixed agreements, getting them approved before transferring data will be both a financial and administrative burden.
This is particularly important to audited and compliance led businesses that have an obligation to protect their customers’ sensitive data at all times and be able to show that this is being stored and handled in line with guidelines imposed on them.
Government officials are currently working on the existing Safe Harbor Agreement by tweaking it and adding a layer of solid enforcement to come to a working agreement once again. It’s in best interest of both the EU and US to do so as US firms require this to be able to expand their offerings beyond their borders and UK firms need it to take advantage of international services.
What’s the ‘short term’ answer:
Encryption. It’s good industry practice in any case of holding customer data and it’s a protective measure to mitigate against the possible legal exposures of storing data off site or in the cloud while agreements are ratified. Encrypting data communication and storage in the cloud or in transit and keeping decryption keys on premise works around all of the legal and customer issues as there will be no “personal” data in the cloud once it is encrypted.