With the fall of the EU/US Privacy Shield leaving the transfer of information from EU citizens to US companies in legal limbo, Stefano Maffulli, Scality’s senior director of community and marketing discusses what’s next.
Personal data flows between countries as fast as dollars and euros. The current of personal data between US companies and European citizens was abruptly switched off after Europe’s top court killed a trans-Atlantic agreement that allows data to move between the European Union and the United States.
This of course means that the transfer of information from EU citizens to US companies is on shakey legal ground. Are you reading this on a mobile phone? Your browsing information is transferred to the US.
Every time you type a message on your phone in Rome, the predictive keyboard transfers data to Google or Apple across the pond.
Or say you wedge a Tesla through the narrow streets of Amsterdam – that data flies right over to the US. Without the legal framework of the Privacy Shield, all of these daily activities are technically illegal.
Companies have to rethink their data transfer and storage policies before they become outlaws. It won’t be easy. Any firm that collects and manages data of European citizens must sift through their applications and storage policies and storing data in European availability zones from US-based companies won’t be a workaround anymore.
Tech titans like Google and Facebook are diving for loopholes, arguing that the ECJ left the system of standard contractual clauses (SCCs) in place, the section of the Privacy Shield that facilitates data transfer.
But with the Privacy Shield down, the SCCs won’t help them export EU data, says Carlo Piana, who has been practicing IT law in Europe since 1995.
What used to be fairly straightforward – like storing logs from a server in one of the many available EU data centres – won’t fly now.
“It’s a lot more difficult to confine data from applications like speech recognition in mobile phones to Europe,” he adds.
While the court didn’t strike them down directly, the SCCs are only valid if they respect the same standards of protections granted by European laws. The trouble? Those same companies fall under Foreign Intelligence Surveillance Act (FISA) jurisdiction, rendering SCCs invalid.
Lawmakers are heading back to the drawing board. The US Chamber of Commerce is already in damage-control mode, urging governments to ‘develop a stable and sustainable mechanism for companies to transfer data between the European Union and the United States’ or risk denting the $1.1 trillion in total trade in goods and services between the two.
Privacy activist group NOYB (My Privacy is None Of Your Business) has already outlined an 1,800-word FAQ for European companies.
Fines for violating the GDPR are massive, although the same group admits that seven years after the first sentence the Irish Data Protection Commissioner is yet to provide the guidelines to force Facebook to respect it.
What this means for cloud storage
European efforts led by France and Germany to build a sovereign cloud infrastructure matter more than ever.
Take GAIA-X, a project started in Europe for Europe that aims to develop common requirements for a European data infrastructure driven by openness, transparency and portability in the EU.
Of course, storage doesn’t happen in a vacuum: applications drive the need for storage and re-architecting them for compliance is a nightmare.
Expect a massive push to move out of the US, driven by European companies.
The Covid emergency relief package will kick it into higher gear, leading governments away from Silicon Valley startups.
Take, for example, the gargantuan 500,000-seat contract granted to Slack-rival Element to support distance learning for German schools. Concerns with data sovereignty Element have already made it the choice for governments in France and Germany.
Snakes and ladders: Brexit and the EU
Until the end of 2020, the General Data Protection Rights (GDPR) framework still rules the exchange of data between the EU and UK.
Before the Brexit transition ends, the EU must assess the adequacy of UK laws in relation to GDPR. The outcome of that assessment is the starting point for future data exchange at the newly re-established old border.
Both sides of the table have signalled this could be an easy move forward, since UK privacy laws are modelled after the GDPR. However, UK Prime Minister Boris Johnson has stated that he feels no compunction to conform to them in the future, leading down a slippery path.
Laws between the US and the UK further complicate the playing field. Today, data is swapped between them thanks to regulation more or less identical to the Privacy Shield.
Both countries are also members of the Five Eyes intelligence alliance. Brussels has long been uneasy over the surveillance group, a sentiment that still prevails after the European Parliament turned its investigators on the Echelon program in the early 2000s.
Move fast and fix things
How Brexit could impact the adequacy assessment is a bet that bookmakers are not ready to take, yet.
If the EU doesn’t grant an adequacy exception to the UK, there will be yet another big problem: data will stop at the Irish border, too. Like most things in 2020, it’s hard to predict how this will end, if not in chaos.
That said, we have to move fast. This time, there’s no grace period for compliance.
The UK and Europe need a single market for data that is attractive to local developers. Only a concerted effort between the EU Commission, national governments, corporations and citizens will put data back where it belongs.