With the European Court of Justice ruling that Safe Harbour is invalid, you could think that they have well and truly rained on the Cloud HCM parade – which is dominated by US providers. But the likelihood is, that although it is disruptive in the short term, it is more of a momentary inconvenience than a long term obstacle.
If you weren’t aware of what Safe Harbour (or Safe Harbor in the US) is – it was a legal clause that US companies used to self-certify that they had put appropriate data privacy measures in place to comply with local (ie EU) data protection legislation which has been around since 2000.
The ruling from the European Court of Justice comes in the light of the Snowden/NSA scandal, and was triggered by personal concerns about Facebook’s alleged “sharing” of private data with US Security agencies. And the ruling paves the way for the Irish Data Commissioner to investigate the claims deeper. But, whilst this has been largely a domestic issue, it has wider impacts for any provider with data transfers to the US. And that includes not just data files, but screen views of data – say by US based services teams.
The short term remedy for this debacle for customers of US Cloud companies is the use of “EU model clauses”, which can be inserted into contracts outlining specific data privacy and management obligations from the vendor. And generally most commentators seem to think that this is the way most providers will now go, even though the legal process is still “work in progress” for whether model clauses are acceptable.
Longer term the likelihood is US and EU agencies will create a new Safe Harbour 2. But it’s unclear how long that might take.
How will this effect Cloud HR?
For those in the process of signing new Cloud deals, the ruling makes the contract process more convoluted, as all data transfers made under Safe Harbour are now invalid. For existing clients – the ruling is not clear about existing Safe Harbour agreements, Either way… the first port of call needs to be your legal team…
What are the Longer Term Impacts?
This is certainly going to increase the focus on European providers. Regional data hosting has been be a critical expectation for international HR systems buyers for years, and US providers have on the whole addressed that with local data centres. But the ruling ups the ante. From our research, 25% of companies already see US data hosting as a barrier to adopting Cloud Based HR systems. With the court ruling, this is likely to become a pivotal part of the discussion.
Will this stop the growth of Cloud HR ?
Not really, the business opportunities and market place are too big for customers and vendors not to find a solution.
Final word – including regarding this post of course – we are industry analysts not lawyers, and all parties will be forced to get professional legal advice on how best to proceed.