The European Court of Justice has ruled that “Safe Harbor” provisions as they’ve existed for about 15 years are not adequate to protect Europeans’ data privacy interests. The BBC has posted a fairly extensive story on the ruling, and IBM has an official reaction.
If I understand IBM’s official reaction correctly (and the reactions of other technology companies), there’s great concern about regulatory uncertainties and, in particular, inconsistencies. That’s perfectly understandable and sensible. Nobody wants to deal with 28 or more unique data protection rulesets and legal regimes. According to the BBC’s report, the European Commission seems at least aware of that potential problem, which is encouraging.
In the wake of the ruling, businesses and other organizations must have “model contract clauses” in place (and obey those clauses!) in order to transfer personal data from Europe to the United States (and, I assume, to any other countries outside the EU/EEA/Switzerland). Those model clauses require the parties to take due care in how they use and secure Europeans’ personal data — the “rules of the road” for protecting privacy. For about a decade and a half, between Europe and the U.S. specifically, businesses could rely on a single “master” set of rules called “Safe Harbor,” but no more. Fifteen years ago European regulators feared that commercial entities would abuse personal data, inspiring “Safe Harbor.” Now the ECJ recognizes that governments are potentially or actually infringing individuals’ privacy rights, so the Court ruled that “Safe Harbor” isn’t enough.
So what does all this regulatory turmoil have to do with mainframes? As I’ve written before in various ways, businesses and other organizations handling personal data simply need to become much better stewards and protectors of those data. That was true before the ECJ ruling, and it’s even more true now. Mainframes and their middleware (e.g. DB2 for z/OS) are extraordinarily powerful, effective tools to help protect personal data and only to authorize access strictly according to complex, evolving rulesets. Mainframes uniquely minimize data movement and data duplication since they facilitate complex, concurrent information and application processing across a single instance of data. They are also excellent “cloud outposts” if/when they need to be. A single mainframe, even the smallest zBC12 model, is a whole “data center in a box.” The mainframe uniquely offers strict (and certified) security “zones” to preserve personal data separations within a single footprint. So if you build at least the privacy-protecting “System of Record” parts of your cloud infrastructure on IBM z Systems, you can much more easily and cost-effectively roll with evolving regulatory punches.
That’s not to say people like to have to worry about regulatory turmoil, especially if you already haven’t been adequately protecting personal data. (The IT industry has a lot to answer for in this respect, and so do regulators. There’s much work ahead, though only some of that work is a result of this ruling.) Fortunately there are some powerful tools available, mainframes included. Regulators (and courts) get concerned and act when industry fails, so, first and foremost, let’s not fail. Hopefully everybody can agree that privacy and protection of personal data are really, really important. Consistently important we also hope.