Twice the USA has signed data sharing treaties with the EU, called Safe Harbor and Privacy Shield, in which each side promised to respect the privacy of personal data shared by the other. Unfortunately, while Europeans see privacy as a human right, America sees national security as a greater priority, writes Bill Mew, Founder and CEO, The Crisis Team. Consequently, while the EU has abided by its privacy obligations under the treaties and introduced GDPR to enhance protection, the US has taken a series of actions to increase mass surveillance at the expense of privacy, thus undermining its treaty obligations.
Examples of these actions would be:
Mass surveillance: FISA 702 applies to all US “electronic communications service providers” (ECSPs), using secret courts and warrants to force them to hand data to the NSA/ CIA without people knowing. Unfortunately, the US courts have at times taken an expansive interpretation that could include any company that provides its employees with corporate email or similar ability to send and receive electronic communications (as with theNationwide Mutual Insurance Company case).
Extra-territorial over-reach: the CLOUD Act forces US-based technology companies to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. While US tech firms now have a presence in the EU market, this law undermines any pretence that these operations are beyond the reach of the NSA / CIA.
Inequality: Privacy Shield was meant to ensure equal privacy rights for both EU and US citizens, but in an executive order made in his first week in office President Trump said that the US Privacy Act would apply only to US citizens andno longer to non-US citizens – a move almost designed to undermine Privacy Shield.
Politicians were keen not to ‘rock the boat’ and therefore during annual reviews of Privacy Shield, the Europeans expressed their concerns, but avoided taking action against the USA. This shadow dance came to an end recently when Privacy Shield was struck down by the EU courts, and restrictions were imposed on the use of Standard Contractual Clauses (SCCs) – the only other legal mechanism for data sharing across the Atlantic.
Safe Harbor, Privacy Shield decision: What does it mean?
We are still waiting for an interpretation and ruling by the local DPAs in France and Germany as well as the ICO in the UK. However the logic is fairly clear:
SCCs cannot be used by any firms that fall under FISA 702
FISA 702 only applies to “electronic communication service providers” (ECSPs)
All the US cloud firms and many non-US cloud firms with an operation in the US fall under FISA 702
Even non ECSPs are impacted as a bank (that is not covered by FISA) may itself use an ECSP (that is covered by FISA). This means the bank’s data can be accessed via the ECSP so they cannot use SCCs either
It also applies not only to their operations in the US, but also to their operations in the EU as well – as US The CLOUD Act, FISA 702 and EO 12.333, which are the main US surveillance mechanisms, have no territorial limitation. Thus the location for hosting is therefore irrelevant.
It states that MS Teams cannot be used LAWFULLY for discussion/sharing of any personal data and that this also applies to any other Cloud Service hosted in or on Azure, AWS or GCP) for any OTHER type of discussion /sharing (ie. processing) of any personal data. This guidance, if extended across the rest of the public and private sector (as it should be), will impact all use of everything from Gmail and Office 365 to Salesforce, LinkedIn and Facebook.
How do we get around this:
Grace period: there is none, nor is there any appeal to the ruling
Loopholes: there are none. US lawmakers, advised by NSA/CIA lawyers, drafted the CLOUD Act to close all potential loopholes
Ignorance: All organisations now need to conduct an urgent review to see if they or any of their sub-contractor(s) are subject to relevant US surveillance laws (they certainly apply to all US data processors or cloud firms), and if their data transfers are encrypted to a level that ensures that ‘tapping’ during transfer is impossible. Following such a review, they will need to communicate to their EU/EEA customers if their processing of personal data is affected by the judgment. If companies ignore or fail to do so then, users can file complaints with a DPA or file a lawsuit with their local court. This may lead to preliminary injunctions and/or emotional damages. In many EU countries, consumer groups, workers’ councils and other bodies can also file collective or class actions if a company continues to transfer personal data without a legal basis.
Legislative reform in the US: the real solution lies, as it always has, with the United States Congress. If US firms can no longer confidently rely on either SCCs or the defunct Privacy Shield, then instead of complaining about the ruling, they should focus their considerable lobbying power on fighting for real legislative change in the US to ensure adequate data protection for EU citizens. Unfortunately, whatever new administration we get in the US, most legislators are either too partisan or too pro-surveillance to support any such reform.
Blame the EU: America’s European allies are not the only ones critical of mass surveillance in the US. A new Cloud Assessment and Authorisation Framework has just been released by the Australian Cyber Security Centre. It is closely aligned to the recommendations in Europe about using local cloud providers to avoid extrajudicial control and interference by a foreign entity. Japan, Singapore and others are conducting similar reviews.
Use a local cloud player based in the EU: well … that might work!
Necessary personal data: there is already a derogation within GDPR that allows for the necessary transfer of personal data. So if I need to email someone in the US then I need to include my name and email address or they don’t know who it is from or who to reply to, and it also needs to include the details of the recipient in order to be delivered – on top of which there may be personal data within the message. Likewise, if I want to make a hotel booking in the US then I need to provide some personal information so that they know who the reservation is for.
All other personal data covered by GDPR
You can continue to use the big US cloud providers for (A) and (B), while using a local cloud provider for (C) within country. This would entail a data management overhead ensuring ongoing compliance across any such multi-cloud environment.
Alternatively you could migrate (A), (B) and (C) to a local player that offers a sufficient variety of services at scale. Unfortunately few regional players have adequate scale or an international presence to support you across multiple nations and regions, and if they have operations in the USA then they’d potentially fall under FISA 702 themselves.
A few players, such as OVHcloud, saw this situation coming and structured themselves in such a manner as to have operations in the EU and US that are separate from one another. As Forrester recently noted, this enables OVHcloud to offer unified services at scale within a CLOUD Act-free European environment. The ruling also provides a shot in the arm for the recent GAIA-X European cloud initiative.
All eyes are now on the ICO though: to see what their guidance is and what kind of fudge they seek to sell us, but the ruling is fairly clear and provides them with little room for maneuver.
Are you a CDO/counsel/data protection specialist? Do you agree/disagree with Bill’s view? Let us know by emailing our editor