I wish I knew. With each article I read, I get (slightly) more confused. Evidently, US authorities seem to insist that they are sufficiently safe, while some European regulators occasionally appear to require additional safeguards.
Where does this leave a confused data controller?
First, in a state of bemusement, and then a feeling of frustration that there does not appear to be a single, simple, message to follow.
Should they listen to the assurances of the US-based cloud providers, who claim that all is fine and dandy, or should they take heed of other experts who point out that other regulations can impose additional obligations on data controllers and cloud providers in respect of some categories of data. For example, financial services firms also have to comply with MiFID standards, which require outsourcing service providers to guarantee physical access to premises upon which data is processed. How can this be achieved in a safe-harbor cloud environment? Presumably, the identities of the location of sub-processors would need to be revealed. Presumably, the data controllers would need to check for themselves. But opinion varies as to whether these are steps that ought to be taken by responsible data controllers, or whether they can rely on self certification by a safe harbour cloud provider.
Then again, the financial institutions to which MiFID applies are surely large enough to negotiate special arrangements with cloud providers. The vast majority of data controllers, I suspect, simply don’t have the time or the resources to worry about these sorts of things.
So, I suspect, the data controllers will continue to take their cue from the regulators. Surely, they will think, if the regulator has not banned cloud operators from operating in their country, then they must be ok. And, as the best known cloud providers are large scale organisations, they are undoubtedly much better resourced than any small or medium sized data controller would be to design, supply and support a secure storage environment. Given the current scarcity of computing skills, surely their offerings can’t be too readily dismissed.
If I were to have a plea, though, it would be for our chums looking after Britain’s critical national infrastructure to consider promoting a British cloud service provider that met whatever security standards were required to be considered sufficiently robust for the British national interest.
But I won’t hold my breath.