Is Privacy Shield Crumbling?

No Longer a Safe Harbor In the beginning, Safe Harbor was formulated to govern the transfer of European Union ("EU") citizens' personal data to the United States.

No Longer a Safe Harbor

In the beginning, Safe Harbor was formulated to govern the transfer of European Union ("EU") citizens' personal data to the United States.  With much fanfare, it was set up to address apprehension about snooping by the US government but was later struck down by the European Court of Justice following a legal challenge by Max Schrems.  Privacy Shield was subsequently instituted as a substitute and approved by the EU.  However, even after approval, Privacy Shield is still awaiting a comprehensive evaluation by EU Data Regulators.   

First Cracks

Although still in its infancy, Privacy Shield is now facing mounting challenges. 

Digital Rights Ireland ("DRI"), an Irish civil liberties organization, has filed a complaint as they feel that it does not contain adequate protection for EU citizens.  

La Quadrature du Net ("LQN"), a French privacy advocacy, has challenged the adoption of Privacy Shield stating that the restrictions on bulk collection of data are inadequate and that the U.S. does not have an effective means for handling grievances.

The Article 29 Working Party, which is composed of Data Protection Authority representatives from each EU Member, has also expressed concerns about Privacy Shield because of the fact that it does not prevent large scale and arbitrary compilation of EU citizens' personal data. 

And now, Yahoo has been accused of scanning hundreds of millions of Yahoo mail accounts at the request of the US Government.   Are the challenges to Privacy Shield with merit?  Is this evidence that the U.S. oversight efforts are not sufficient?

Faster Than a Speeding Bullet

Max Schrems and others are raising concerns about the speed at which organizations are implementing and being approved for Privacy Shield.  Over 500 organizations have already signed up and more than 1,000 others are underway. This includes such well known firms such as Google, Facebook, and Microsoft.  

In fact, organizations are coming on board at a much faster rate than those that joined Safe Harbor. It took about 15 years to get up to 5,000 participants.   This could be attributed to a number of factors including the increasingly global nature of the economy.  However, the goal of implementing Privacy Shield was to establish a more rigorous standard for protecting individual privacy than existed under Safe Harbor.   In this respect, should there be a concern that so many organizations are implementing the supposed heightened level of safeguards in such a short time?  

If you don't know where you are going how do you get there

If the challenges that were filed against Privacy Shield succeed, the companies that have already been approved may then need to use different tactics.  This could ultimately mean keeping all European citizens data within the borders of the EU. (Not sure how Brexit plays out here.)

To complicate matters even further, the decision that overturned Safe Harbor also specified that individual countries can devise a separate stance on security and privacy matters and independently order a cessation of personal data transmissions to the U.S. from their countries.

This leaves many US companies and Cloud Providers in a bind.  Do they now need to negotiate with each nation in the EU separately?  And where does that leave EU companies that want to place data in a US owned Cloud Provider? 

These challenges can significantly limit the ability of organizations to work with each other.  It will also inhibit the ability to leverage the efficiencies and benefits of the cloud.  So it is absolutely critical that each organization understand where their sensitive data is located to ensure that compliance with both EU and individual country regulations are maintained. 

In some situations, organizations can look for guidance to the General Data Protection Regulation ("GDPR").  The GDPR specifies that Pseudonymization is a technique that can be used to provide additional safeguards to protect personal data. Additionally, the GDPR states that data that has been anonymized is not considered personal data and therefore free from restriction.  As 80% of an organization's data exists outside of production environments, significant benefits can be attained by securely anonymizing the 80% that is non-production data and placing it in the cloud.  The simplest solution may also be the path of least resistance.     

Joe Santangelo
Delphix Corp.