Many Software-as-a-Service companies from abroad are currently setting up European data centers, often together with European partners. With this, they hope to ease the growing European concerns around privacy, data protection and complying with existing and upcoming regulations like the EU General Data Protection Regulation (GDPR). But recent developments in US courts show this to be a risky proposition: the problem of privacy is far from resolved by ‘just’ putting data in Europe. For companies betting on Privacy Shield, using services from US companies directly or through an intermediary storing data in Europe, all this is very bad news.
What is Privacy Shield?
Privacy Shield is a mechanism of self-certification for US-based companies processing data from European citizens. It was designed as a replacement for the Safe Harbor Principles, an earlier framework which was invalidated by the European Court of Justice in 2015. Privacy Shield aims to give legal guarantees to companies who process data overseas, but privacy experts as well as the European Data Protection Supervisor itself have pointed out multiple times that Privacy Shield doesn’t carry sufficient guarantees to secure European citizens privacy. The future of Privacy Shield is uncertain, certainly in light of the GDPR.
In essence, Google is being ordered to act as a government agent to secure all requested data wherever it happens to reside.
On August 10, a California federal judge said he would probably overrule Google’s objection about data stored overseas being outside the jurisdiction of the US Stored Communications Act. This would enable the US Department of Justice to obtain Google email account information.
On Monday, August 14, things got worse. Two US judges ruled in separate cases claiming extra-territorial jurisdiction over data stored by US companies in other countries. In one case, the judge noted the earlier Microsoft Ireland case was highly controversial and he agreed with the dissenting judges in that case. The judge in the other case went even further and opined that the Second Circuit court made a mistake in its Microsoft Ireland decision.
A final word on this will have to come from the United States Supreme Court, with an important potential swing vote from the recent appointee by President Trump, Neil Gorsuch. The US Department of Justice already filed a petition for the court to consider the Microsoft Ireland ruling.
It is hard to predict what direction the Supreme Court will go but even if they uphold the decision made in the case of Microsoft Ireland by prohibiting the US government from demanding data stored overseas from US companies, there still is no long term certainty. President Trump has made it clear he wants no limit to his power and international agreements don’t mean much to him.
For companies betting on Privacy Shield, using services from US companies directly or through an intermediary storing it in Europe, all this is very bad news. If they face regulatory requirements to keep data private and in Europe, their data storage solution will likely no longer be compliant when the Supreme Court rules against Microsoft Ireland. And if not – the Trump administration seems determined to extend the reach of their department of justice and other government agencies
What is the GDPR?
The General Data Protection Regulation is a European regulation which aims at harmonizing and reshaping the way organizations handle personal data. Any information related to a natural person must be stored with the consent of the data subject in a secure place under the control of the company processing the data, so that the company can ensure the privacy of its customers. Fines are significant. Merely not having clear records on how data is han- dled and where it is can incur fines of up to 2 % of annual global turnover, with fines for clear violations going up to 4 % or EUR 20 million, whichever is greater.
The upcoming General Data Protection Regulation 1, which goes into effect on May 25, 2018, will exacerbate this problem and expand it to a far wider range of businesses.
Any company that handles data from European users, regardless of its location, and even if the data handled is just a list of names and email addresses, will have to ensure that that data does not leave the jurisdiction of the European Union. A major aspect of the GDPR is that organizations are responsible for the compliance of the entire chain. For example, if a business stores European customer data with a US company and the US government subpoenas any of this data, the business who the customers entrusted the data to is liable for significant damages.
Businesses that handle customer data for themselves or other businesses will have to find a solution that keeps that data compliant under these new, strict rules before the deadline hits. The most reliable way of doing that will be to keep it in European data centers under control of an own IT department.
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]