Duncan Brown
Research Director, European Security Practice
Last week was a busy one for privacy watchers. We had not one but two major developments in the regulation of data transfers between the US and the EU, which affects (amongst other things) cloud services.
The first move was the decision of the European Commission to implement the EU-US Privacy Shield framework that underpins data transfers. Its predecessor, Safe Harbor, had been struck down by the European Court of Justice in October last year, after it was shown to provide an inadequate degree of protection of personal data (as revealed by the Snowden revelations). Privacy Shield improves the oversight and recourse options on data transfers, adding teeth to the agreement that governs whether US companies are abiding by EU detection principles.
The agreement on Privacy Shield should have the effect of clearing up considerable ambiguity that has reigned for nine months since the demise of Safe Harbor: EU-based companies transferring data to the US once again have a legal framework to underpin their business processes. However, Privacy Shield is likely to be tested in court, and it remains unclear whether this beefed-up agreement will prove to be more robust than its predecessor. Companies involved in data transfers (both providers and enterprises) should examine alternative legal structures such as binding corporate rules and model contract clauses*.
The second development last week was the decision by a US federal appeals court to rule in favour of Microsoft in its refusal to hand over customer emails stored on servers outside the United States. The emails, stored in Microsoft’s Dublin datacentre, were subpoenaed by the Department of Justice. Microsoft argued that the physical location of the emails meant that they were under the jurisdiction of the Irish courts and data protection authorities.
IDC thinks that this decision is more important than the agreement of Privacy Shield. Had Microsoft not won its case, any data centre in the EU (or anywhere in that world) owned by a US-headquartered service provider could have been subjected to data disclosure warrants by US law enforcement agencies. It would have made building EU-based data centres pointless, and data residency irrelevant.
The ruling, which the DOJ may contest, forces governments to deal with the data protection authorities in the country in which the data physically resides, reinforcing data residency as a key consideration in data protection jurisdiction.
The murky world of international data protection has become slightly more transparent.
* IDC does not provide legal advice. If in doubt, get a lawyer.
For more information on privacy, data protection and security insights, please contact Duncan Brown.
If you also want to learn more about Brexit and its implications for tech businesses, we now have a 35-page report on the impact of Brexit on UK as well as European IT spend available: The Brexit Impact on IT Spend in the U.K. and Western Europe: A Scenario Analysis. The report outlines the scenarios in more detail, the associated assumptions as well as the expected impact across hardware, software and services for each of the scenarios. If interested, please click here for more information.