The recent (July 2020) ruling from the European Court of Justice striking down the privacy shield data transfer agreement between the EU and the US, which allows personal to be stored with US cloud providers. As IT industry come to terms with the new ECJ GDPR ruling, and how will the major player like Microsoft, Google, Facebook, just to name a few, react to this news and how will this affect the future roadmaps for their products?
If you are a EU citizen then this is something that you should have been concerned about and this is now good news for you, if you’re not then this is something that you should know of or that very least be made aware of. In essence US authorities like the NSA/FBI have the powers to examine any personal data that is collected and resides on US Cloud infrastructure regardless if you a US citizen or not.
As regards judicial protection, non-US citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to non-US citizens. In that regard, there are substantial obstacles in respect of the causes of action open to non-US citizens, in particular that of locus standi, which it considers to be excessively difficult to satisfy. Furthermore, according to the findings, the NSA’s activities based on E.O. 12333 are not subject to judicial oversight and are not justiciable. Lastly, the Privacy Shield Ombudsperson is not a tribunal and therefore, US law does not afford non-US citizens a level of protection essentially equivalent to that guaranteed by the fundamental right enshrined in that article.
The referring court found that E.O. 12333 allows the NSA to access data ‘in transit’ to the United States, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to the FISA. It adds that activities conducted pursuant to E.O. 12333 are not governed by statute.
The court had found that US government agencies have simply too much access to data about European citizens stored with US tech companies, violating the Charter of Fundamental Rights of the European Union and the extensive data privacy rights enshrined in the GDPR.
While standard contractual clauses remain valid as a legal means to transfer personal data to processors established in third countries, the court makes this practice conditional on those third countries guaranteeing a right to data privacy comparable to those in Europe.
In essence, organizations from now on have to process user data in European clouds or those of demonstrably similar data privacy. They also have to avoid data centres on European soil run by US providers, because access for US government agencies cannot be ruled out.
Organization outside the EU collecting personal data knows that they must comply with the GDPR not only with the letter but also with the spirit of the law, but this now just add an extra layer of complexity that needs to be factored in, and by storing user data encrypted with robust access control and auditing whether on-premises, on the Public Cloud or in a private cloud in Europe or anywhere else.
For those affected:
1. What the court said
The European court of justice invalidated Privacy Shield, the agreement about data transfers between the EU and the US, because the US government infringes on the data protection rights of European citizens. Until the US has a data privacy law on the books that is comparable with GDPR and has drastically curbed the snooping powers of its agencies, user data cannot be transferred there.
2. What that means
Organizations can no longer use US clouds to process the personal data of European Citizens. That includes Microsoft365 as well as Google Drive and other cloud offerings from US providers. They can however still use on premises integrations like Microsoft OOS and SharePoint, for which support ends in 2025 and 2026 respectively.
3. What to do
Some Organizations are now stranded with an unlawful setup and need to devise a sovereign stack strategy. Some products have natural replacements: With Microsoft365 out of bounds, its browser-based on-premises cousin, Microsoft Office Online Server, can still be used lawfully. Also, there are options beyond the US tech behemoths to choose from. The European tech ecosystem has grown nicely. By leveraging best-of-breed open-source software hosted on-premises or in private clouds, organizations can gain added security and efficiency.
As for those organisations in Australia that do handle privacy data for EU citizen, how will this affect them is not yet know, but this is something that they need to start looking into.
The Australian Privacy act is not as comprehensive as the EU GDPR and does have some critical missing components such as:
- Right to be forgotten GDPR
- Right to Erasure: GDPR Art 17
- Right to Data portability: GDPR Art 20
- Right to Object: GDPR Art 21
Although there is no equivalent right in the APP. However, business must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose: APP 11.2. Where access is given to an individual’s PI, it must generally be given in the manner requested: APP 12.5
More information on the Australian Privacy Act can be found on the links below for the Office of the Australian Information Commissioner:
NOTE: If you do have any privacy concerns seek legal advice.