Privacy Shield: how to comply when data regulations go off-road
Robert Arandjelovic, Blue Coat European Director of Security Strategy.
A new data transfer agreement was announced on 2 February by EU and US officials, but with the terms of Privacy Shield yet to be approved by the European Court of Justice (ECJ) and the data protection authorities (DPAs) of each of the 28 EU member states, the current regulatory landscape is fraught with uncertainty.
The well-intentioned effort to bridge the gap between two very different data privacy playing fields made positive steps to bring additional protection to EU citizens’ data. Yet the agreement, unpopular with many Members of the European Parliament (MEP), still face several hurdles: the European Commission was asked to provide a formal Privacy Shield proposal by the end of February, but will then rely on the opinion of the advice of Working Party 29, a group of national data protection authorities (DPAs) that will issue its opinion by the end of March.
The DPAs will be determining whether Privacy Shield will hold up if tested in the European Court of Justice – who will have the ultimate authority on legality of the new pact. Even in a best case scenario in which the new regulations are accepted by all parties, the stipulation of yearly reviews means that the law could change on a regular basis, or as happened last autumn, struck down altogether.
Many organisations have failed to prepare for this precarious situation and don’t seem to understand that the rules around the storage and transfer of personal data may never again be as clear cut as they have been. In circumstances where the regulatory rug could be pulled from under their feet at any time, fulfilling the bare minimum and relying solely on the agreement as a safety blanket is not sufficient. Businesses are well advised to go beyond compliance in all areas by proactively improving visibility and control over their data transfers and building contingency plans in the event that the agreement radically changes or is invalidated.
A boost for EU cloud providers
Establishing and utilising EU data centres – or subscribing to EU-based cloud services – is one approach organisations can adopt to avoid data residency issues. With the instability around data transfer rules, bypassing the issue entirely by engaging Europe-based cloud service providers is starting to look like an increasingly attractive option.
A greater reliance on EU providers could have an interesting impact on the global cloud services market. Europe is yet to produce a serious rival to the US cloud service powerhouses, but if spending on EU data centres were to surge in response to uncertainty over data transfer regulation, European cloud providers could potentially capitalise.
Conversely, competitors in other regions may begin to reassess the demands of doing business in Europe. Although it would unlikely impact the strategic decisions of well-established, global players, smaller providers may decide that additional investment in infrastructure and data monitoring ultimately outweighs the benefits of operating in the EU.
Taking back control of data
Faced with such confusion and doubt, many firms took a wait and see approach after the first Safe Harbor agreement was struck down – a risk that seemingly paid off as a new deal seems to be getting hammered out just in time. However, the relative instability of the new agreement means that businesses cannot afford to take this stance in a post-Safe Harbor world.
In an attempt to continue with business as usual, some organisations have started to investigate the use of alternative legal mechanisms such as ‘model clauses’ – contractual arrangements which provide safeguards to users concerning data protection and could potentially avoid non-compliance headaches in the event of another abrogation. However, these clauses have proven inflexible and difficult to implement in practice. Furthermore, some DPAs have decided these clauses are insufficient as they suffer similar weaknesses as those that resulted in the invalidation of Safe Harbor.
Alternatively, technology offers interesting ways to mitigate some of the issues concerning data transfer without all of the heavy legal manoeuvring. Cloud access security brokers (CASB), for example, provide insight into applications and the types of data transferred through them from their networks. Some can even empower organisations to control who can access that data and where it can go.
Many organisations have no idea where the data they manage is going. Gaining visibility allows businesses to discover shadow clouds, determine the location of data centres and take the steps required to ensure compliance. This visibility helps organisations take back control and ownership over their data chain, minimising the risk of shadow cloud applications while enabling the secure use of sanctioned applications.
Tokenisation is another option for many businesses with operations in Europe. Before a form or request from a cloud application leaves the local site, tokenisation solutions pull out all sensitive and personal data and replace it with randomised code (a token) that is completely unrelated to the original data. The real data can only be re-substituted by the tokenisation solution, making it virtually impossible for third parties to decipher. In this manner, the actual personal data never leaves the local data centre, let alone the country.
Tokenisation is a trusted and certified technology which can allow businesses to use cloud services hosted outside of the EU without falling foul of residency requirements, as long as the tokenisation server is based in one of the EU member states.
Uncertainty is the new norm
The end of Safe Harbor has exposed a lot of companies to unsettling regulatory ambiguity, and with General Data Protection Regulation (GDPR) set to further complicate the situation in 2018, those operating in Europe need to get to grips with how they manage the data they are responsible for.
Privacy Shield is in a fragile state, and even if the terms of the agreement are universally accepted, the rules around data protection may never be as stable as they once were. Laws may change with the stroke of a pen, but companies that truly control their data as they adopt cloud technologies will be in a far stronger position than those that continue to take compliance for granted and fail to adapt to this new reality.