Within today’s technology landscape, navigating data compliance is complicated and ever evolving. As consumers, we’re more connected than ever — through e-commerce websites, social media, streaming platforms, and other online tools. From tracking the steps of my morning walk with my dog to booking a doctor’s appointment with a few swipes on my phone, the benefits of connecting our personal data to the world are as endless as they are easy to take for granted.
At Sitecore, we understand both the value of data and the importance of protecting it. Privacy and security laws are changing quickly to protect consumers’ personal data and we have to adapt to keep our customers’ data safe.
In July, Europe’s highest court invalidated the Privacy Shield, a trans-Atlantic agreement that allows companies to move data between the European Union and the United States. This agreement is important because it’s used by more than 5,000 companies — but what does this really mean for businesses that transfer data between the E.U. and the U.S.?
Data hosting: What you should know
As a Sitecore customer, you have a few options when it comes to storing your data — largely based on your company’s infrastructure and hosting choices. No matter what Sitecore product you use, you’re in the driver`s seat when it comes to controlling your data. This means you have total control over the data you collect on your customers using Sitecore products. Because this data may include personal data (such as contact information, employment details, website visit information, and website activity), you need to ensure you’re fully compliant with how you collect, store, and use it.
To make sure you have flexibility when it comes to data storage, we use global data centers through the Microsoft Azure network. When you become a Sitecore Managed Cloud customer, you can choose where your data is stored from the available data centers around the world; once you do, your data stays in that region unless you ask us to move it. When it comes to determining the right approach to data storage and hosting for your organization, the following three questions are critical :
- What does compliance look like in that region?
First and foremost, infrastructure has to be compliant. Depending on where your business operates and where the data is coming from, this might include laws such as the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA). These laws have different ways of defining organizations, data, and individuals who are subject to privacy and data protection laws in the EU and California — and we’re well aware they’re not the only laws that impact data. Sitecore’s Data Governance Team is constantly tracking these various laws, including their nuances, to ensure Sitecore products collect and treat data in a compliant manner.
- Where is your data being accessed?
When Sitecore is deployed, the servers have to physically run somewhere. This may mean placing infrastructure as close to website visitors as possible to ensure latency is minimized and response times are as fast as possible. For example, if you’re a European company, but most of your website visitors are from the West Coast of the U.S., it may make sense to use a data center closer to that geographical region.
- What are the requirements where you are based?
We know that our customers may operate in multiple locations where there may be a need to balance different requirements, particularly post-Brexit. For example, if your company is headquartered in Ireland, with website visitors in the U.S. and Europe, but your marketing team is based in the UK. This may mean that it can make sense to host data in more than one data center.
What is the Privacy Shield?
To understand the significance of the recent change, it’s important to understand the context over the last decade. In 2013, Edward Snowden, the American whistleblower, disclosed information about the surveillance activities of the U.S. national security agencies, which led to many legal challenges to the way international data was handled between Europe and the U.S. One of the most significant came when privacy activist Maximilian Schrems challenged the way Facebook Ireland exported data to California. This led the Court of Justice of the European Union (CJEU) to declare the Safe Harbor agreement invalid in 2015.
The Privacy Shield was intended to replace the Safe Harbor agreement as a workaround for the General Data Protection Regulation (GDPR) by creating protections in the U.S. for European data that were equivalent to data protection rights for people in the E.U. But in December 2019, the CJEU started to question whether this agreement was actually working — leading to this recent invalidation of the Privacy Shield in July 2020.
This recent ruling neither changes data flows for our services nor the way data is stored using the Microsoft Azure cloud. We only transfer customer data in accordance with the Sitecore Data Processing Addendum (DPA), which allows two levels of protection for data transfers. One is the Privacy Shield framework, which is now invalid. But the other is the Standard Contractual Clauses (SCCs), which remains valid (for now) and in place with our customers. The Schrems II ruling doesn’t change your ability to transfer data today between the EU and U.S. — so you don’t need to worry or take any action at this time.
This recent decision is a reminder that working with trusted partners matters — and we at Sitecore take our roles seriously and proactively when it comes to protecting your data. We’ll continue to monitor developments and we’re here if you have any questions.
Rachael is Senior Director, Legal Counsel (Global Privacy and Data Security) at Sitecore, where she manages the company’s internal data governance program and advises on global privacy, data protection, and cybersecurity matters. Follow her on LinkedIn.