The recent ruling of the European Court of Justice invalidating the EU-US Safe Harbor agreement has introduced a level of uncertainty into discussions around global data privacy. In my opinion, the complexity of the topic and lack of detailed understanding has resulted in additional confusion. As always, Workday puts what is right for the customer at the centre of what we do, and we are approaching this latest development with that core value front of mind.
I think in all situations like this, customers and the industry deserve plain speaking. There will be conversations between experts in the legal and privacy fields and these are valid and important. But companies just want to know the simple facts about what this means for them.
They want to know that cloud companies like Workday have other options in place to ensure bumps in the regulatory road are not the catastrophe for customers that some have suggested. And on this Workday can 100% confirm that for our customers, safe, secure, and private processing of their data remains business as usual.
Why is that though if Safe Harbor has been called into question?
Workday is committed above all to the security and privacy of our customers’ data and we have invested heavily in technology, processes, and procedures to protect it.
While Workday has certified compliance with the Safe Harbor framework for many years and remains committed to maintaining those protections despite the court ruling, we also offer European customers other legal vehicles for those situations―such as support maintenance, etc. —where processing of European customers’ data in the United States may be necessary.
As Commissioner Věra Jourová stated in the European Commission’s statement on Safe Harbor, “The EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data, for instance through standard data protection clauses in contracts between companies exchanging data across the Atlantic.” The use of Standard Contractual Clauses (SCCs), also known as model clauses, is a standard and accepted way to transfer personal data from the EU and a staple of our offerings regardless of whether a customer is hosted in one of our European data centers or in the U.S.
Workday has always included SCCs in its Data Protection Agreement (DPA) and many customers have signed a DPA incorporating these SCCs. Those that haven’t can sign an MSA addendum on Workday’s customer web site today and have the protection of SCCs immediately. This means that all customers that have signed either a DPA or MSA addendum will be able to rely on the SCCs to the extent their customer data is processed in the U.S.
Workday strongly encourages the European Union and the United States to finalise the revised Safe Harbor framework, for the benefit of the citizens of both jurisdictions as well as the global business environment and, importantly to us, our customers. We know that representatives of the European Commission and the U.S. Executive Branch have been working diligently to reach agreement on an extension, but with the European Court of Justice’s decision we feel it is best that this is expedited as quickly as possible to ensure that global businesses, including our customers, get the framework and guidelines for successful business and data flow back in place as quickly as possible.
In the meantime, Workday’s contractual commitments, backed by our deep technical capabilities in the cloud and operational practices, continue to meet current data protection legislation and reinforce our commitment to an open and transparent trust framework on data privacy on a global and local level.
As always, we offer a safe port in a storm.