Many Software-as-a-Service companies from abroad are currently setting up European data centers, often together with European partners. With this, they hope to ease the growing European concerns around privacy, data protection and complying with existing and upcoming regulations like the EU General Data Protection Regulation (GDPR). But recent developments in US courts show this to be a risky proposition: the problem of privacy is far from resolved by ‘just’ putting data in Europe. For companies betting on Privacy Shield, using services from US companies directly or through an intermediary storing data in Europe, all this is very bad news.
What is Privacy Shield?
Privacy Shield is a mechanism of self-certification for US-based companies processing data from European citizens. It was designed as a replacement for the Safe Harbor Principles, an earlier framework which was invalidated by the European Court of Justice in 2015. Privacy Shield aims to give legal guarantees to companies who process data overseas, but privacy experts as well as the European Data Protection Supervisor itself have pointed out multiple times that Privacy Shield doesn’t carry sufficient guarantees to secure European citizens privacy. The future of Privacy Shield is uncertain, certainly in light of the GDPR.
Uncertainty about data access rights
In January, the Privacy Shield agreement was shaken to its foundations when newly elected US President Donald Trump signed an executive order stripping non-citizens of privacy rights.
Just two days before President Trump signed his executive order, Microsoft Ireland narrowly escaped a rehearing in a case that “could have resulted in chaos and a privacy disaster”. A three-judge panel had ruled that a US Government warrant could not be used to force Microsoft to hand over emails stored in Ireland and the Department of Justice was trying to have this decision reversed, but failed. Earlier in July 2016, Microsoft got a ruling against such access to customer data stored overseas.
However, this ruling does not seem to stand very strong. Google in June encountered a judge which says the Microsoft decision does not matter and ordered them to hand over data stored outside of the United States. As Techdirt describes it:
In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside.
On August 10, a California federal judge said he would probably overrule Google’s objection about data stored overseas being outside the jurisdiction of the US Stored Communications Act. This would enable the US Department of Justice to obtain Google email account information.
On Monday, August 14, things got worse. Two US judges ruled in separate cases claiming extra-territorial jurisdiction over data stored by US companies in other countries. In one case, the judge noted the earlier Microsoft Ireland case was highly controversial and he agreed with the dissenting judges in that case. The judge in the other case went even further and opined that the Second Circuit court made a mistake in its Microsoft Ireland decision.
A final word on this will have to come from the United States Supreme Court, with an important potential swing vote from the recent appointee by President Trump, Neil Gorsuch. The US Department of Justice already filed a petition for the court to consider the Microsoft Ireland ruling.
It is hard to predict what direction the Supreme Court will go but even if they uphold the decision made in the case of Microsoft Ireland by prohibiting the US government from demanding data stored overseas from US companies, there still is no long term certainty. President Trump has made it clear he wants no limit to his power and international agreements don’t mean much to him.
For companies betting on Privacy Shield, using services from US companies directly or through an intermediary storing it in Europe, all this is very bad news. If they face regulatory requirements to keep data private and in Europe, their data storage solution will likely no longer be compliant when the Supreme Court rules against Microsoft Ireland. And if not – the Trump administration seems determined to extend the reach of their department of justice and other government agencies
What is the GDPR?
The General Data Protection Regulation is a European regulation which aims at harmonizing and reshaping the way organizations handle personal data. Any information related to a natural person must be stored with the consent of the data subject in a secure place under the control of the company processing the data, so that the company can ensure the privacy of its customers. Fines are significant. Merely not having clear records on how data is han- dled and where it is can incur fines of up to 2 % of annual global turnover, with fines for clear violations going up to 4 % or EUR 20 million, whichever is greater.
The upcoming General Data Protection Regulation 1, which goes into effect on May 25, 2018, will exacerbate this problem and expand it to a far wider range of businesses.
Any company that handles data from European users, regardless of its location, and even if the data handled is just a list of names and email addresses, will have to ensure that that data does not leave the jurisdiction of the European Union. A major aspect of the GDPR is that organizations are responsible for the compliance of the entire chain. For example, if a business stores European customer data with a US company and the US government subpoenas any of this data, the business who the customers entrusted the data to is liable for significant damages.
Businesses that handle customer data for themselves or other businesses will have to find a solution that keeps that data compliant under these new, strict rules before the deadline hits. The most reliable way of doing that will be to keep it in European data centers under control of an own IT department.