Privacy Shield's wooly thinking just unraveled thanks to President Trump

While most attention has been paid to Donald Trump’s ‘Muslim ban’, the US President’s proclivity to sign Executive Orders may also have put paid to the US-European Union Privacy Shield agreement, with potential knock-on adverse effect on the American cloud computing industry.

Regular readers will know that here at diginomica, we’re no fans of the Privacy Shield, regarding it as a hastily-knitted PR comfort blanket to put over the cloud industry’s collective transatlantic knees following the collapse of the Safe Harbor agreement.

That said, it was something and since it came into force last August some 1,500 companies have signed up to the framework so far, including Microsoft, Workday, Salesforce and Apple.

But Trump may have smashed the Shield via section 14 of his Executive Order: Enhancing Public Safety in the Interior of the United States. This reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

In other words, foreigners data is fair game for the likes of the FBI and the NSA - which is pretty much what led to the collapse of Safe Harbor in the first place.

The initial reation from some in Brussels was panic. MEP Jan Philipp Albrecht, the European Parliament’s rapporteur on data protection regulation, is a case in point:

Once the European Commission had a chance to rally its response, the party line was that there’s nothing to worry about here, with a spokesperson stating:

We are aware of the executive order on public safety. The US Privacy Act has never offered data protection rights to Europeans.

But in reality, this is exactly the sort of situation that the Commission has been dreading. EU Justice Commissioner Věra Jourová, one of the principal architects of Privacy Shield, said earlier this month that she planned a visit to Washington to check out the Trump administration’s commitment to Privacy Shield.

She made clear her continued reservations on a trip to Malta on Friday, after Trump's Executive Order was signed:

I need to be reassured that Privacy Shield can remain. Of course, I hope I will have such assurance, but we are very vigilant at this moment.

Privacy Shield was already due for its first joint annual review this summer, conducted by the European Commission, the US Department of Commerce, and national intelligence experts from the US and European Data Protection Authorities.

So what is the future for the agreement? Uncertainty would seem to be the most appropriate descriptor. One issue here, when it comes to getting co-operation from the Trump administration is that Privacy Shield is an Obama legacy. Jourová herself noted that the programme is built :

...to a large extent on the trust which we had towards the American partners, towards the Obama administration. This trust must continue or must be renewed.

I need to have reconfirmation that there is continuity and we will be very strict assessors of the current decisions because Privacy Shield is not a one-off decision, it is the mechanism where we have several American national authorities involved.

Bad news for US cloud computing?

That doesn’t exactly sound entirely convincing - or particularly good news for the transatlantic cloud computing sector. The leading players there have yet to comment on this latest development, but there was clearly already some concern, if not publicly aired, about the strength of Privacy Shield anyway. For example, in its latest Securities and Exchange Commission filing, Microsoft noted:

The growth of our Internet- and cloud-based services internationally relies increasingly on the movement of data across national boundaries. Legal requirements relating to the collection, storage, handling, and transfer of personal data continue to evolve. For example, the EU and the U.S. formally entered into a new framework in July 2016 that provides a mechanism for companies to transfer data from EU member states to the U.S. This new framework, called the Privacy Shield, is intended to address shortcomings identified by the European Court of Justice in a predecessor mechanism. The Privacy Shield and other mechanisms are likely to be reviewed by the European courts, which may lead to uncertainty about the legal basis for data transfers across the Atlantic.

All of which brings back the question of whether Privacy Shield was ever going to be a long term solution to a data sovereignty and transfer problem that’s only going to get worse? Bill Mew, Cloud Strategist at UKCloud, which only services the UK public sector and as such isn’t impacted by the Privacy Shield Ts & Cs, argues:

The EU-US data transfer arrangements are a bit like a marriage. It requires a level of commitment and trust on both sides and not only can acts of infidelity be catastrophic to the relationship, but sometimes the suspicion of infidelity or even the expectation of further infidelity can be almost be as damaging.

Previously there was an initial co-habiting arrangement in Safe Harbor, which was found to be unworkable and the subsequent arrangement, Privacy Shield, has been in place for a short while now. But many regard Privacy Shield as a shot gun wedding that had failure baked in from the outset.

The trouble is that one of the co-habitants keeps flirting with arrangements that are not only damaging to the relationship, but that undermine the trust between the two parties.

As examples, Mew points to the US Department of Justice’s ongoing efforts to access emails stored on a Microsoft server in Ireland as well as the amendments to Rule 41 which recently came into force, allowing US courts to provide their law enforcement agencies with access to any data held by US cloud firms anywhere in the world.

Mew likens the EU’s ‘nothing to worry’ offical stance on the Trump Executive Order as being akin to “a wife seeking to stand by her errant husband”, but suggests that Trump’s attitude, self-evidently at odds with the established EU stance on data protection issues, can only add to the relationship issues:

It is as if after a series of alleged flirtations and infidelities, the US is claiming that it is still committed to the relationship and that these claims are being believed for now. However, how much confidence can we have that the US under Trump will not be up to more of the same in the near future - with further executive order or regulations?

The whiff of infidelity has already caused some firms to move data outside the US. Some firms are not waiting for test cases to provide evidence of infidelity or for further flirtations to occur, and archive.org has already announced that it is heading to Canada.

Many clients in the EU and UK have systems or data for which there are specific requirements around data sovereignty and privacy. Before long they will surely start shying away from the US public cloud providers, in favour of local providers that are beyond the reach of intrusive US regulations.

The question for the faithful wife here is at what point is enough really enough? How much infidelity is palatable, can the errant husband really be trusted? And when is a relationship deemed beyond repair?

My take

If you take Mew’s ‘marital’ analogy to its logical extreme and think about long-term commitment, eventually you have to point out that Trump’s currently on his third wife!

If you follow diginomica’s ‘hastily-knitted comfort blanket’ analogy, then you quickly realise that it doesn’t take much for wooly thinking to become unravelled and leave you exposed to the cold.

Either way, Privacy Shield looks finished from where I’m sitting. Commissioner Jourová needs to get a trip to Washington in the diary soon and this time put something in place that’s going to do the job.

Trouble is, I’m not sure that this is going to be remotely high up on the Trump to-do list.