Man working at laptop late at night
Adrian Newby Posted by Adrian Newby October 28, 2015

The Shift in US-EU Safe Harbor for Web Content Management

Recently, the Court of Justice of the European Union (CJEU) Advocate General, Yves Bot, has found that the US-EU Safe Harbor Agreement is invalid. His reasoning is that the unrestricted surveillance exercised by the NSA effectively prevents the protection of personal data required by the EU Data Protection Directive.

This has notable implications for how global organizations run their Web Content Management (WCM) practices in Europe (and, in turn, the world round).

Why should you be concerned?

Content management systems (CMS) process a lot of personal data on behalf of the customers and those operating in the EU are bound by the Data Protection Directive. Bot's opinion (which is likely to end up becoming official court precedent) means that US service providers can no longer rely on Safe Harbor to offer services to EU-based organizations.

With dynamic CMS solutions (those in which the content management platform is also the content delivery platform), customers must pick a single location in the world to deploy. For most vendors offering cloud-hosted WCM managed services, that single deployment location is the United States.

Dynamic CMS

According to Bot's interpretation of the law, this means that those installations can no longer be considered adequate for the processing of personal data for EU-based customers, even if the service provider is Safe Harbor-certified. Even if the EU was an option as a hosting base, relocating services is not an option because that would mean transporting personal data for US-based customers out of the US, which almost all of US-based customers prohibit in contract. US statutes such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB) also prohibit the practice.

So, with most CMS platforms, EU law will likely dictate that CMS customers either have to:

1) Run multiple CMS platforms in multiple geographies. This typically results in double or triple costs, fragmentation of customer data and risks associated with replicating content, templates and digital assets.

dynamic WCM expensive

2) Abandon personalization in the EU marketplace.

web content personalization

3) Deliberately disregard data protection compliance regulations.

data privacy violation

A fourth option, one in which companies with the above exposure encourage their customers to execute "model clause addendums", has already been considered and rejected by at least one jurisdiction in the EU (Schleswig Holstein, Germany) with many more to follow.

These "model clauses" predate Safe-Harbor and were introduced by the EU as a voluntary method for companies in countries outside the EU to agree to be bound by the same data protection constraints and requirements as EU-based companies. Safe-Harbor effectively formalized and standardized this practice, and added a central registry. The problem with these clauses is that they do not address the fundamental problem highlighted in the Bot's ruling, namely that the oversight of the NSA invalidates any promise or guarantee of protection.

While companies can voluntarily extend their service agreements with these "model clauses", they cannot constrain the actions of the NSA and so do not have the capacity to deliver on the promises they are attempting to make. For more information (in English), and (in German).

None of these are great options.

What does this mean for Crownpeak customers?

Organizations leveraging Crownpeak won't have to change their existing WCM platform in order to address concerns relating to this new jurisdiction. Crownpeak's decoupled architecture eliminates the privacy risk associated with dynamic websites.

For clients who implement Crownpeak's content management platform within the United States, they can deploy web servers to host and deliver Crownpeak-managed experiences (not requiring an on-premise WCM) anywhere in the world, including the EU, which means our personal data processing never has to leave the borders of the jurisdiction. This is not a new feature, introduced as a result of these recent data protection rulings. Our customers have been doing this for years.

CrownPeak Architecture

Organizations continue to trust Crownpeak for our ironclad commitment to help them address growing security and regulatory compliance concerns. Crownpeak's decoupled architecture allows our customers to continue to operate unaffected by this new development.