With no common framework in place defining how to protect personal information across the Atlantic, U.S. companies may be forced to invest in new technology to silo data about European customers.
The U.S. Commerce Department and the European Commissioner of Justice pledged last week to hammer out a new standard to replace the Privacy Shield, which a European court invalidated last month with no grace period for compliance. In a joint statement, Commerce Secretary Wilbur Ross and Justice Commission Didier Reynders acknowledged "the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies."
But such claims do not guarantee a new pact will stick. The now-defunct Privacy Shield, which detailed data protection requirements when transferring personal data from the European Union and Switzerland to the United States, took months of negotiations before it was ultimately approved in July 2016. But the framework caved in its first legal test, after Austrian privacy advocate Max Schrems claimed that the privacy pact didn’t protect EU citizens from being spied on by the government. In July, the European Court of Justice (ECJ) decision in the Schrems II case left companies with very little protection beyond the standard contractual clauses (SCC) for data transfers between EU and non-EU countries. And even those were seen as inadequate and problematic.
“There will be demystification needed in the coming weeks so that businesses start to realize that whilst in theory the SCCs are still there, when dealing with countries that have far reaching surveillance laws, they might not be sufficient,” said Tom de Cordier, partner at CMS.
SCCs “imply that data transfer and storage processes have been proactively evaluated," Brittany Roush, director of The Crypsis Group, told SC Media. But that leaves too much room for interpretation. “Considering that the EU courts have already stated that SCCs are not safe from legal scrutiny, organizations would almost assuredly prefer more specific guidance.”
Companies left vulnerable
Without Privacy Shield for protection, “companies face a risky position that can be challenged at any time by the courts,” said Roush, noting that U.S. tech companies, in particular, could find themselves in a precarious position.
“It isn’t inconceivable that the courts could test the validity of the SCCs by taking on one of the U.S. tech giants, particularly in light of both Congress's and the world’s recent focus on data privacy and the EU court's position that U.S. surveillance laws run afoul of GDPR principles,” she said.
That’s one reason de Cordier believes big tech firms will be putting forward “EU-only solutions targeted at European customers to hold their data over European territory in the cloud,” which, he said, will reflect an acceleration of a trend that’s spun out over the last few years.
Without “a common set of rules shared to allow businesses to operate across state and national lines,” the world will likely “become a patchwork of regulation, making it an extremely challenging place to do business,” said Danny Allan, CTO at Veeam.
Coming up with a new agreement presents a challenge. Negotiators are likely to run into the same issues that sank the first Privacy Shield and the Safe Harbor act before it – U.S. surveillance laws that don’t meet the standard of protection that EU laws provide.
“Without drastic reform to data privacy standards in the U.S., and the reach of agencies like the NSA, any potential new Privacy Shield agreements will most likely be swiftly shut down by the same court in the EU,” said Dan Piazza, technical product manager at Stealthbits Technologies.
Here's the problem, as stated by Saryu Nayyar, CEO at Gurucul: The European Union puts data privacy for its citizens first, ahead of law enforcement and state needs. The U.S., however, puts national security and law enforcement interests ahead of personal privacy. That's a fundamental difference in perspective.
Privacy Shield was viewed by the public as a means for pushing “the U.S. to get onboard with surveillance reform as well as a push for business interests to do the same," said Chloé Messdaghi, vice president of strategy at Point3 Security. In return, the situation provides the U.S. with two options: change surveillance standards, or leave companies with no other option but to move their operations to Europe and split systems into two parts.
Forcing a compromise
In real terms the EU didn’t appear to have pushed for change or even to be viewed by the public as having tried to force change. Because the U.S. has its “hands deep in tech platforms,” the EU bends to the U.S.’s will as evidenced by the tenets of the EU-U.S. Privacy Shield, said Messdaghi.
It’s that power and control that’s driving U.S. and EU to reach a new agreement. “But whoever controls tech has the ability to do what they want – and since that’s the U.S., it prevents the EU from imposing anything because they don't have equal standing,” said Messdaghi. “Unless both parties are equally weighted during talks, the one in control can continue to have their demands met more than the weaker party.”
In the words of Nayyar, “the data must flow.”
Still, despite the pledge by the EU and U.S. to craft a new agreement, Piazza remains skeptical, calling it nothing more than “hand waving at this point.”
The outcome of the November presidential election will influence whether the U.S. adopts a federal data protection law that will ultimately alleviate European regulators’ concerns. At the same time, the U.K.’s fast-approaching exit from the EU is lending a sense of urgency to that country’s efforts to assure that its own surveillance laws don’t run afoul of EU requirements.
“If the U.K. wants to obtain an adequacy finding from the EU by the time the current transition period ends in January 2021, it’ll have to make sure that U.K. surveillance laws have the right checks and balances built in, which isn’t the case today,” de Cordier said.
In lieu of a national U.S. law and, ultimately, even with the EU-U.S. stated commitment to a solution, “companies should prepare themselves for months, if not years, of uncertainty when it comes to cross-border transfers and start proactively evaluating their risk,” said Roush. “If an organization has been reliant on Privacy Shield, then it is critical that they assess whether or not they meet an ‘adequate level of protection,’ as required by EU law.”
There are some other measures that companies can adopt in the meantime, such as relying on binding corporate rules (BCRs), which are companywide data protection policies “that you make binding, then get the ok from regulatory,” said de Cordier. But even with BCRs in place, companies “might run into same problem as with Privacy Shield regarding surveillance,” he explained.
“Maybe you can juggle around, surf your suppliers…stop working with them [and instead find] a European supplier that is more adequate,” he said.
But that's a whole lot of maybes, with very little assurance of a reliable outcome.
Said de Cordier: “There is no golden solution."