Europe rebukes US for mass surveillance
In a landmark ruling on 16 July, the Court of Justice of the European Union (CJEU) handed down a final ruling in the case between privacy activist Max Schrems and Facebook. Bill Mew sets out ramifications the ruling will have on all of us.
Previous agreements for the EU and US data sharing were struck down following a challenge against Facebook brought by Austrian legal student Max Schrems.
The agreement was hurriedly replaced by Privacy Shield. Unfortunately, the new arrangement was little different from the one that went before it and was described as “putting lipstick on a pig”. Edward Snowden revealed the full extent of US government surveillance in 2013, while the Cambridge Analytica affair revealed the level of commercial data abuse.
European politicians and regulators were reluctant to rock the boat, even when the US implemented a series of measures that undermined confidence in their promises to protect our privacy:
- PRISM – a mass surveillance program in the US revealed by Edward Snowden
- FISA – a US surveillance program overseen by a secret court (FISC) with secret warrants
- Privacy Act – the main protection measure in the USA, but in his first week in the White House President Trump issued an executive order that it only applied to US citizens and no longer applied to those from the EU or elsewhere
- CLOUD Act – this is an extra-territorial measure to force US-based technology companies via warrant or subpoena to provide data stored on servers in the US or on foreign soil
- EARN IT Act – this created a 15-member government commission (including administration officials and industry experts) to establish “best practices” for detecting and reporting child exploitation materials, but these best practices were likely to include a backdoor for law enforcement and the dismantling of Section 230 protection
- LAED Act – not yet passed into statute, the Lawful Access to Encrypted Data Act of 2020 would ban providers from offering end-to-end encryption in online services or devices that that does not include a means of decrypting data for law enforcement (such as a backdoor).
In a series of annual privacy shield reviews, politicians voiced unease about the gradual erosion of protections for US citizens, but shied away from taking any action. When they highlighted the lack of an ombudsperson to oversee the EU-US privacy shield agreement, the US failed for some time to nominate one.
Regulators, and in particular the Irish Data Protection Commission (responsible for overseeing most of the tech giants as they have their headquarters in Ireland), were also hesitant about taking action. The Irish regulator has more than a dozen ongoing actions against the tech giants, but has made any real progress on a single one.
Frustrated at the lack of action by politicians and regulators in Europe and worsening US protections, Max Schrems continued to press for reform, resulting in the recent ruling.
What it all means
There have been two main arrangements for transatlantic data sharing – Privacy Shield which like Safe Harbour before it is a broad agreement and standard contractual clauses (SCCs) that are drawn up on an individual basis by each organisation.
Privacy Shield is now invalid, and SCCs need to be applied with data protection in mind. Given that FISA warrants can be served on any US-based “electronic communication service providers”, US-based telcos, cloud firms or social media platforms are therefore unable to assure the protection of private data from mass surveillance.
Consequently, companies like Apple, AT&T, Facebook, Twitter, Google and Amazon are no longer able to rely on SCCs and no longer have a legal basis for transatlantic data transfers. Indeed, given the extra-territorial provisions in the CLOUD Act, they likely don’t have a legal basis for storing your data in the EU either.
An end to all transatlantic data transfers?
Companies can continue to transfer corporate financial and production data, as the ruling applies to personal data only. There is already a derogation within GDPR that allows for the necessary transfer of personal data.
So to email someone in the US, I need to include my name, email address and recipient details. Likewise, to make a US hotel booking, I need to provide personal information on who the reservation is for. This kind of data needs to be shared.
However, sites like Facebook and messaging systems hold lots of personal information such as photos and videos that do not need to be stored in the US and could just as easily be stored and retained in Europe. This is where the ruling will apply.
Impact on tech giants
The tech giants now lack any legal basis for storing your data, but could also be facing enhanced GDPR enforcement. The CJEU place an obligation on the Irish regulator and its EU peers to enforce the regulation in a timely and effective manner.
The ruling was a kick up the backside for the US in terms of its mass surveillance and to the Irish regulator for dragging its heels on enforcement. While the Irish regulator had its hand forced, it will be interesting to see the extent to which the US will reform its practices, if at all.
As long as the US ignores the call for reform, it will put its own companies at a competitive disadvantage. With their US rivals unable to use either Privacy Shield or SCCs, European service providers will have a window of opportunity to cater as customers wary of committing themselves to the US tech giants look to repatriate a great deal of personal data.
However, it will not be simple for the Europeans. If they operate in the US then they could be subject to the CLOUD Act and therefore find themselves in the same boat as their US rivals.
Some, however, such as OVHCloud, have a special capital structure where their US and EU operations are entirely independent of each other but collaborate under cooperative agreements. This means they can offer services in both regions without the US government being able to serve a warrant on their US operation that would be enforceable on their EU counterpart.
Necessary response to ruling
Companies all need to assess the extent to which any of the personal data that they hold on staff, client or patients is outsourced to US processors and what the legal basis is for any data transfer.
If you want to use a US-based cloud firm (like Amazon Web Services, Microsoft Azure, Google or IBM) then there is no legal basis as Privacy Shield and SCCs are any longer options that are available to you. This applies even if the US processors offer assured data residency within the EU or UK.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...