It's very early days, but this court ruling, triggered by a complaint about facebook, has the potential to be pretty disruptive for global HR systems, so worth considering it's implications now.
This blog article is meant to be a conversation starter and does not constitute legal advice in any form.
What happened?
Basically, following a complaint from an Austrian citizen, the European court of justice confirmed, what this citizen claimed - and most people knew anyway all along even before Edward Snowden's relevations: data privacy in the US is on a lower standard than in the EU. So, no surprises there. But as with the original "The Emperors' new Clothes" story, a truth known and a truth spoken can be two completely different beasts.
So far, the so called Safe Harbour agreement between the EU and the US, allowed (under certain conditions) to work on the assumption that the protection of personal data in the US is the same as in the EU for legal purposes - to put it simply.
The recent ruling has effectively invalidated the Safe Harbour agreement:
http://www.bbc.co.uk/news/technology-34442618
What's the impact on companies using HR solutions from SAP?
If you keep personal data of employees from the EU on your own or hosted server within the EU, there's no problem. For SuccessFactors customers, SAP offers several data centres within the EU and as most EU customers insisted on these data centres so far, those are safe as well (same is true for Concur). But to be safe: if you are not sure, where your data centre is, check it with SAP.
Customers using further hosted or cloud based solutions should check those as well regarding the data storage location.
I guess it gets interesting for global organisations. So far, US based corporates would usually have stored data of European employees on their own US based servers or in SuccessFactors' US datacentres. Will they be able to continue doing so, if they gain permission from employees? And would it be legal to make this permission part of employment contracts?
Or will Eurocrats in Brussels oblige and come up with a successor of Safe Harbour to allow business as usual?
I don't know. Probably nobody really knows. Fact is that here's a risk for many organisations' HRIS strategies and it affects SAP cloud solutions no more than on-premise (it may actually be worse for other cloud vendors, if they can't guarantee EU data centres).
Will this data privacy challenge actually end up driving cloud adoption?
Data privacy concerns so far have been perceived as a barrier to cloud adoption - rightly or wrongly: this shall not be discussed here.
However, if this new challenge - together with the new regulation in Russia in force since 1st September 2015 and similar rules across the globe - leads to the requirement of some kind of geographically distributed storage of personal data in future, then I see cloud solutions actually much better positioned to deal with it than individual organisations with their on-premise systems. Most notably for cloud vendors with a strong global data centre infrastructure like SuccessFactors.
So, I wouldn't be surprised, if this situation rather than slowing down cloud adoption, as data privacy concerns did so far, ends up pushing it.
It would be interesting to hear your take on it.
- How are your organisations responding?
- Maybe some of you even had contingency plans in place for this not-so-black swan?
- Has the recent similar requirement from Russia helped to be prepared for this?
