Last week our entire infrastructure and data storage moved from U.S. to Frankfurt, Germany (EU). We like to share why we made the choice for a carbon neutral hosting environment that is located in a country as tightly regulated regarding privacy as Germany.
Since October 6th., 2015 our legal team has been struggling with the fact that, the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbor Framework invalid as a mechanism to legitimize transfers of personal data from the E.U. to the U.S.
Even though we don’t store PII (Personal Identifiable Information) in any of our default settings, our advanced tagging in ecommerce could be used by Convert Experiments users that want to deliver a personalised experience on their websites. We had to take action since although there were negotiations in process between U.S. and E.U., these did not finalize before the grace period given.
The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. – The European Commission (EC).
In previous weeks, the EU-US Privacy Shield was announced, a significantly better but still untested agreement that will replace the EU-US Safe Harbor framework. The first indications of this new framework give a lot more power to consumers, but even now the text are finalized, we want to make a choice for a long term privacy and we consider that Germany is the best choice for this, so we moved.
The new Privacy Shield gives the consumer a better and free path to a complaint with our clients, us, and several backups in free consumer dispute resolution of privacy problems are now built in the framework.
A great effort on both U.S. and E.U. side to solve this problem. A better with an annual review of privacy policies and our renewal of Safe Harbor 2016 was met with additional checks and corrections by the certification authority, that we appreciate.
Mass surveillance by U.S. intelligence agencies what the Schrems case in October 2015 addressed was followed with many suggestions of the E.U. for a better framework. Now, personal data flows free within 28 E.U. countries without safeguards and several countries like New Zealand, Switzerland and Canada.
The European Commission (EC) said:
“The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.
The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.”
Convert.com is a company with a conscious business philosophy, and we decided that in 2016 we needed to speak up for our vision. Our first step was moving to Akamai CDN’s to take our support for a more energy transparent Amazon (AWS) and we signed the Greenpeace letter to Amazon’s board.
Now, moving our entire infrastructure away from AWS was a choice that would take so many resources that we could dedicate to improve our user’s experience, but we could not make that move for economical reasons at this stage but will reconsider this in the future (yes, you may call us hypocritical for this).
The problem with the EU-US Safe Harbor and yet unclear Privacy Shield and our intention to go carbon positive as a company this year, made us spend all January on migrating all our application servers from AWS U.S. to AWS Frankfurt. Our website and blog were moved to the UK, and we have our login and security environment on a pending move to Europe as well.