Edward Snowden’s revelations about the NSA make it imperative for businesses storing customer data on the cloud to be aware of the EU’s new Privacy Shield Framework.
What does your company do with personal data? The age of networks, the internet, the cloud and industrial digitization have seen a huge rise in the collection, storage and transfer of data. Data privacy laws are also evolving, including a major new EU-wide change. For multinationals that share data between the EU and the US, the regulatory red tape just got much more complicated. In the rest of the world, the rules differ from country to country. But the EU is usually seen as a global model for good practice regarding the protection of personal data, and many countries will follow its lead.
The EU is concerned about the creeping domination of US technology companies like Google, Apple, Amazon and Facebook that store EU citizens’ data in the US. The July 2016 Privacy Shield Framework replaced the Safe Harbor agreement, ruled invalid by the European Court of Justice in October 2015. The change has generated a transatlantic tussle over data sovereignty between the U.S. Department of Commerce and the European Commission.
The catalyst for change was Edward Snowden’s NSA revelations indicating that information on EU citizens stored in the US was subject to surveillance that would be illegal in the EU. James Henry, UK Southern Region Manager at Auriga Consulting, explains:
The very concept of a worldwide data-based economy came under threat. Safe Harbor had been active before the era of social networking, ubiquitous computing, the cloud, Big Data Analytics, Deep Learning, mass profiling and so many other privacy-threatening technologies. It ceased to have relevance. It paid lip service to data sovereignty but failed to uphold the core principles.
The key aspect for industry is the conflict between the commercial use of data and national security. If a company anywhere in the world collects data from EU citizens and transfers it to a cloud storage platform that uses servers outside the EU, it could be breaking the law. It might be something as simple as editing a document containing personal details on a US-owned web-based application like Google Docs, or giving factory workers a FitBit that uploads activity data to a US-based cloud server. If any individually identifiable data is transferred to a third party, there must be some encryption.
To safely transfer data across the Atlantic, companies need to have clear privacy policies that link to both the Privacy Shield website and a website for logging complaints about data misuse. Companies also need to give individuals access to their own data.
Willy Leichter, global director of cloud security at CipherCloud, says:
The size of the organization doesn’t help it escape compliance. Any firm transferring personal data belonging to Europeans must comply, although smaller companies are less of a regulatory target and risk smaller, but still substantial fines.
Legislation drafted by the European Parliament envisions penalties of up to 5% of global annual turnover.
Leichter explained that complying with the Privacy Shield Framework is likely to be expensive. According to a survey by his company, an estimated 70% of all companies will need to invest in new technologies or services to meet requirements.
Many enterprises are already turning to data anonymization technologies, such as using a cloud access security broker to encrypt sensitive data. Encryption renders data unreadable to unauthorized parties. In the event of a breach, outsiders will have no way of reading the information without the consent and assistance of the data owner.
Google, Microsoft and other cloud vendors already use two-step encryption to ensure that any data that leaves the EU cannot be intercepted or tampered with, so clients transferring personal data will already have amended contracts. Companies that use popular cloud services can therefore rest assured that they are complying with the regulation.
While some may be tempted to revert to hosting data exclusively within EU borders, Lillian Pang, Senior Director at cloud provider Rackspace, says:
The hope is that the new Privacy Shield lends itself more practically to enabling businesses to transfer personal data from the EU to the US. It would be a real achievement if it compels businesses to ensure that their internal processes and functions keep data privacy at the heart of their operations.
Data may be the new currency for business and industry, but as long as the EU has the most progressive data protection laws, the rights of the individual will govern how companies can spend that new wealth.