For as long as the cloud has existed, one of the most common concerns of would-be buyers has been the question of where their data will reside, and, more specifically, whether moving that data to another country constitutes a legal or compliance risk.
This is called data sovereignty, and continues to drive many British buyers towards UK cloud hosting services rather than services delivered from the US or elsewhere in the world. It’s a common area of concern for companies that store and process personal data in particular, not least with the new EU General Data Protection Regulation (GDPR) having ushered in an era of greater data protection rights for EU citizens and greater penalties for firms with a laissez-faire attitude towards those rights.
That said, the question of whether the transfer of personal data across the Atlantic is permissible is a complex one. Many companies do, in fact, store and process information on EU citizens in the US, including the likes of Facebook and Google, and they do this through treaties such as the new Privacy Shield framework, which was recently deemed to “work well” in its first annual review.
So what is Privacy Shield, exactly? And how far can UK cloud hosting users rely on the framework?
What is Privacy Shield?
The EU-US Privacy Shield came into effect in July 2016 and takes the form of a voluntary self-certification programme (only companies that make a public commitment to comply with the framework are covered). The full text of the framework can be found on the Privacy Shield website, as well as a list of certified firms, of which there are currently around 2,500.
Perhaps the most interesting thing about Privacy Shield, though, is the context in which it came to be. Prior to 2015, US companies had the option to self-certify against another framework - called Safe Harbor - in order to transfer EU citizens’ data across the Atlantic. In October 2015, however, a complaint brought against Facebook by Austrian privacy campaigner Max Schrems in light of the 2013 Snowden disclosures led the European Court of Justice to rule the Safe Harbor agreement invalid, and the agreement vanished without warning overnight.
Privacy Shield, then, was the ad hoc replacement introduced to plug the gap and allow US companies to conduct EU-US data transfers without falling back on standard contractual clauses. It’s relatively new and untested, and there’s lingering concern it could be ruled invalid in the same way as its predecessor at a moment’s notice.
12 months on
The aforementioned first annual review of Privacy Shield was published by the European Commission last month, with the verdict that it “works well”, albeit with “room for improvement in its implementation”. The review also points out that Privacy Shield is “a living agreement that both the EU and US must actively monitor”.
However, this positivity has been tempered with the news that Schrems has, once again, had a complaint referred to the European Court of Justice that Privacy Shield has not fully addressed concerns that US surveillance is incompatible with EU citizens’ data protection rights. It also pokes holes in the standard contractual clauses that US companies would be forced to fall back on without Safe Harbor or Privacy Shield, so is potentially even more significant than the end of Safe Harbor in 2015.
So, once again, the future of EU-US data transfers is uncertain. Right now, it’s permissible for US companies to store and process EU citizens’ personal data on US turf and, by extension, for UK cloud hosting users to rely on providers with US-based data centres. However, the book is far from closed on the issue of US mass surveillance and its implications for privacy, and there could be a greater upheaval still to come.
For UK companies, then, there’s no substitute for ensuring customers’ personal data resides only in UK or EU data centres, and for total clarity on how that data is stored, processed and transferred.