Why The Cloud Makes The EU-US Privacy Shield Meaningless

Michael Laurie, April 28, 2016
Thumbnail

It’s fair to say that when it comes to data privacy, Europe has been hit by a huge Edward Snowden storm. The whistle-blower’s revelations that the United States’ National Security Agency has been harvesting the personal data of private EU citizens set the continent on edge. The European Court of Justice’s October 2015 ruling invalidating Safe Harbor - a collective 'you-have-our-word' agreement that previously governed EU-US data transfers - rocked Europe on its data heels.

In February 2016, the European Commission tried to allay anxieties by announcing the proposed EU-US Privacy Shield as the new governing regulation over EU and US personal data transfers.

"For the first time ever," Commissioner Vera Jourova said, '"the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms."

eIDAS and E-Signatures: A Legal Perspective

Lorna Brazell of Osbourne Clarke LLP navigates new eIDAS Regulation

Download the whitepaper

Holes in the privacy shield?

Yet many remain uneasy. First, the Privacy Shield won’t be formally signed until late spring or early summer; the larger body of data law, the EU’s General Data Protection Regulation (GDPR), is at least two years away from formal approval.

But the ambiguity of dates pales in comparison to the ambiguity of language and intention. The Privacy Shield proposes 'robust obligations on how personal data is processed and individual rights are guaranteed,' but these 'robust obligations' remain vague.

Further, the maintenance of boundaries between EU citizen privacy rights and US national security interests lies within the hands of the NSA, an institution that’s notoriously opaque and famously skilled at obscuring its activities.

Finally, and perhaps most alarmingly, there’s the means of redress itself. Under the new rules, an aggrieved EU citizen would have to seek justice within a non-EU jurisdiction, the United States, by filing a complaint with the US Department of Commerce and the US Federal Trade Commission.

A UK solicitor who specialises in data protection cases, Dai Davis, finds the entire process problematic. "In the US there is no protection for European citizens or their rights in the US constitution," he notes. "Besides, why should someone from Manchester have to go to the US to get justice for something that happened in Manchester?"

Business options for data transfer oversight

For businesses, the risks are high. The EU citizen who feels violated can sue the EU business with whom that citizen trusted his data. The potential fines, according to some calculations, may run up to four percent of a company’s annual global revenue.

What’s a business to do?

The obvious answer is compliance: comply with the EU-US Privacy Shield, comply with the new GDPR. But these evolving regulations represent ever-moving targets, and there is no guarantee that their provisions will hold up in court, or that compliance will give challenged companies sufficient legal cover.

As an alternative, companies can make their own Binding Corporate Rules (BCR) within their own contractual agreements. But these BCRs must be negotiated between every single business partner, and approved by the national Data Protection Authorities (DPA) overseeing these parties. For most businesses, BCRs are bewilderingly complex - expensive to manage, and impractical for most organizations.

Fortunately, there a third viable option.

Get out of the data transfer business

The root problem isn’t in the data, but in its transfer. As long as a citizen’s data stays within its national boundaries, there’s no legal cause for company concern. And there is really no reason why data should need to transfer across borders considering the availability of cloud instances in any region with a data center.

Sounds too obvious? Traditionally, the business obstacle was the expense of construction: building data centers to host customer information, country by country. Today, however, secure cloud hosting providers enable cloud service providers to deploy an instance of their solution anywhere, making it possible for organizations to do business everywhere, without being in the data transfer business at all.

Objections and advantages

Under current data protection laws, EU citizen data can be freely transferred to and stored in any EU nation and satisfy EU data protection requirements. This suggests that organisations may consider regional solutions within the EU.

The EU also allows for data storage outside the EU within 'white labeled' nations, such as Canada, whose data privacy regulations are considered as strong as or stronger than the EU’s.

Until the General Data Protection Regulation (GDPR) takes over in a couple of years, there are enough variations in data protection laws among the 28 EU countries that many lawyers may feel more comfortable with in-country data residency.

And frankly, there are additional business advantages to consider. When your business enjoys a wide geographic reach, in-country data residency via the cloud offers better network performance and superior response times, at much lower deployment costs.

Differences in formats, customs, laws and, more importantly, language, are much easier to manage at the local level; each country gets its own instance of your application modified to its exact needs. Scalability, a burden for centralised systems, becomes a breeze on the cloud.

While in-country is the ultimate solution, the cost and management of in-country storage and processing may need to be considered against a regional solution such as a combination of primary and secondary cloud instances in two or more EU states.

Let’s put our heads in the cloud

No matter how the chips fall with emerging regulations, data privacy protections will be a headache for any business that must transfer data across borders. In-country and in-region data residency in the cloud gives businesses an easy and inexpensive way of avoiding the issue altogether. When we don’t have to worry about moving data, we can concentrate on building business momentum instead.

Sourced from Michael Laurie, vice president of product strategy for eSignLive, VASCO

This article first published in Information Age