In a landmark ruling in the European high court last week, the agreement between the EU and US for transatlantic data sharing was overturned.
While some media reports portrayed this as a shock, others saw it as the inevitable result of a long running dispute between Europe’s orientation towards privacy and America’s prioritisation of national security. The reports almost all took solace, though, in the fact that the other main mechanical for data sharing, Standard Contractual Clauses (SCCs), had been upheld. Things are a little more complicated than this though.
In the EU, the focus on privacy as a human right has been consistent. In GDPR it has applied regulation that has become the gold standard for data protection that is being copied elsewhere. The US on the other hand promised, not once but twice, with Privacy Shield and with its precursor Safe Harbor, to respect and protect the privacy rights of EU citizens, while simultaneously enacting laws that did quite the opposite.
And while national security was the main objective in the US, many of its measures have had unintended consequences:
- Mass surveillance: FISA 702 applies to all US “electronic communications service providers” (ECSPs), using secret courts and warrants to force them to hand data to the NSA/ CIA without people knowing. Unfortunately, the US courts have taken an expansive interpretation that includes any company that provides its employees with corporate email or similar ability to send and receive electronic communications (as with the Nationwide Mutual Insurance Company case).
- Extra-territorial over-reach: the CLOUD Act forces US-based technology companies to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. While US tech firms now have a presence in the EU market, this law undermines any pretence that these operations are beyond the reach of the NSA / CIA.
- Inequality: Privacy Shield was meant to ensure equal privacy rights for both EU and US citizens, but in an executive order made in his first week in office President Trump said that the US Privacy Act would apply only to US citizens and no longer to non-US citizens – a move almost designed to undermine Privacy Shield.
In the recent ruling these laws were not only cited as the reason that Privacy Shield was being overturned, but also why restrictions were being explicitly reaffirmed in the use of SCCs. To continue to use SCCs, organisations must ensure that data transferred to the US is properly encrypted to protect it when in transit and is then stored beyond the reach US surveillance laws. This would prevent all ECSPs from using SCCs on the grounds of inadequate protection since they all fall under FISA 702.
In practice, however, a bank (that is not covered by FISA) may itself use an ECSP (that is covered by FISA). This means the bank’s data can be accessed by the NSA/CIA via the ECSP, so the ban on the use of SCCs would also apply to any organisation that used such ECSPs when storing or processing sensitive data in the cloud.
Interpretations
However while organisations in other industries like banks, airlines, hotels and shipping companies were not initially defined as ECSPs, US courts have interpreted ECSPs to include any company that provides its employees with corporate email or similar ability to send and receive electronic communications. Thus, in the most expansive interpretation almost any company with operations in both the EU and US is now potentially prohibited from using SCCs.
Early interpretations of the ruling have varied widely, between unrealistic (we can all use SCCs so it’s almost business as usual), to optimistic (we can still use US cloud players as their EU regions are safe), to pragmatic (lets de-risk by moving all sensitive EU data to EU cloud players) and even drastic (we can’t use any kind of US cloud, even private cloud, as almost all US firms count as ECSPs). However, experts from Schrems to Professors Daniel J. Solove and Paul Schwartz agree that in addition to the demise of Privacy Shield, SCCs have almost certainly been fatally flawed.
The professors argue that as along as US law lacks “effective legal remedies for data subjects,” a “principle of proportionality” and sufficient controls over use and retention of personal data gathered by the government, all data transfer mechanisms remain in significant doubt.
Without access to either Privacy Shield or SCCs there is no legal basis for the transatlantic transfer of personal data from the EU to the US. Not only are companies that are transferring data illegally to US recipients now required to stop all such transfers as quickly as possible in order to avoid facing fines of up to 20 million Euros or four percent of their global turnover under the GDPR, but the ruling also reaffirmed that national Data Protection Authorities (DPAs) have a responsibility to enforce these penalties.
Local cloud players
Fines are potentially not the greatest threat here though – while the largest GDPR fine to date has been €51.1 million (£46.5 million), this is dwarfed by the recent legal claim in the UK against easyJet for £2000 each for nine million victims that could amount to £18 billion – 387 times as much. GDPR fines of £183 million and £99 million from the UK’s ICO against BA and Marriott have been deferred pending the completion of further investigations.
If you liked this content…
‘The Era of Data Portability May Be Coming to an End’: Serious Concerns Trouble the UK Cloud Community
Privacy Enforcement in the UK post-GDPR: Keeping abreast of the trends
Only 20% UK population trust you with their data – ICO
Data privacy concerns and the need for AI regulation 
Ensuring GDPR compliance in the rush to adopt AI
Users of EU companies can now request that these companies stop transferring their personal data to the US. If companies do not follow these requests, users can file complaints with a DPA or file a lawsuit with their local court. This may lead to preliminary injunctions and/or emotional damages. In many EU countries, consumer groups, workers’ councils and other bodies can also file collective or class actions if a company continues to transfer personal data without a legal basis.
All organisations now need to conduct an urgent review to see if they or any of their sub-contractor(s) are subject to relevant US surveillance laws (they certainly apply to all US data processors or cloud firms), and if their data transfers are encrypted to a level that ensures that ‘tapping’ during transfer is impossible. Following such a review, they will need to communicate to their EU/EEA customers if their processing of personal data is affected by the judgment.
In fear of fines and litigation, organisations will inevitably shift sensitive data back to the EU and place it with local providers rather than US ECSPs. This will massively shift the dynamics of the European cloud market. A few local cloud players already have achieved critical mass, and either operate only in the EU or have operations in both the US and EU that are ‘air gapped’ with controls to protect them from seizures under the CLOUD Act.
Potential examples might include the leading European player OVHCloud or UK public sector specialist UKCloud – both are headquartered in the EU and have a strong commitment to data protection and operational controls, while OVHCloud was recently commended by Forrester for being able to offer unified services at scale within a Cloud Act free European environment. The ruling will also provide a shot in the arm for the recent Gaia-X European cloud initiative.
What is more important to America, trading with its European allies or spying on them?
Pundits in Silicon Valley have been quick to claim that GDPR and the restrictions imposed by this ruling are protectionist and anti-competitive. They overlook the fact that while they themselves enjoy the protections of CCPA, their government made commitments to provide similar protection to EU citizens before choosing to enact laws that undermined these very commitments.
Imagine for a moment if EU courts told EU tech firms to seize data held on their servers in California (where the GDPR-like CCPA applies) including personal information on Californian citizens, and if the EU also removed protections to Californian citizens that they offered to EU citizens.
Whatever the various initial reactions to this ruling, the real solution lies, as it always has, with the United States Congress. If US corporations can no longer confidently rely on either SCCs or the defunct Privacy Shield, then instead of complaining about the ruling, they should focus their considerable lobbying power on fighting for real legislative change in the US to uphold the commitments made under Safe Harbor and Privacy Shield to protect the privacy rights of Europeans in the US.
Footnotes:
1) If FISA is seen as undermining the ability of US firms to provide adequate protection, then the UK’s ‘Snoopers Charter’ is likely to be seen in much the same way. Negotiations on post-Brexit data transfers may not only be heading into choppy waters in the Atlantic, but in the English Channel as well!
2) America’s European allies are not the only ones critical of mass surveillance in the US. A new Cloud Assessment and Authorisation Framework has just been released by the Australian Cyber Security Centre. It is closely aligned to the recommendations in Europe about using local cloud providers to avoid extrajudicial control and interference by a foreign entity. With both the EU and Australia calling for legislative reform, how long can Congress put this off? After all it can no longer just be portrayed as an EU problem.
