When Edward Snowden revealed US and UK spy agency secrets, French and German leaders were alarmed by what they learned about US government spying operations in Europe, including on their own governments. There was talk of a ‘wall’ that would be built around the EU, requiring EU and international cloud companies to keep EU citizens’ data within the w Union.
Rackspace, Microsoft, Google and Amazon rushed to build data centres in the EU, while stating their efforts were meeting the requirements of customer compliance with locality laws. Amazon, for example, said customers would have ‘complete control over the geographic locations where their content can be stored and accessed.’ But it all seems to have been a waste of time. The new EU General Data Protection Regulation (GDPR) does not require this.
Chiara Rustici is an author and researcher on EU privacy and GDPR. ‘In purely legal terms, the GDPR does not ask processors (cloud and co-location providers fall mostly into this category) to keep EU-based individuals’ personal data on EU soil,’ she says. ‘What it does ask is the flipside of that: in whichever country or jurisdiction EU-based individuals’ personal data is stored, that data will need to be offered all the safeguards of the GDPR… If you want a starker image, for the sake of simplicity, don’t think of the EU as wishing to attract the global cloud business onto EU soil. Think of it, instead, as the EU trying to export its idea – that data protection is a universal human right – to the rest of the globe.’
In particular the GDPR allows companies outside of the EU to process data of EU citizens outside the Union as long as the processors adhere to EU privacy and data protection requirements. These are called Model Clause agreements. However, this will not always work, as the German attorney at Planit Legal in Hamburg, Bernhard Freund, explains: ‘In some scenarios it is not possible’, because under German law certain sensitive data (such as health data) cannot be taken outside the country. Freund says that the GDPR includes ‘opening clauses’ that allow member nations to make changes to certain sections of the law. This is in spite of the law theoretically being designed to bring all of the EU under one set of rules.
The US relationship with the EU is the exception, and the US is forging its own agreement with the EU called the EU-US Privacy Shield. According to White & Case: ‘Cross-border data transfers to a recipient in a third country may take place, without a need to obtain any further authorisation, if the Commission has decided that such third country ensures an adequate level of data protection (an “adequate jurisdiction”). The basis for this principle is that such jurisdictions provide sufficient protection for the rights and freedoms of data subjects without the need for further safeguards.’
If you read the legalese on Microsoft’s, Google’s and Amazon’s websites, they state cloud businesses all comply with that.
But will any of this stick? When President Trump signed an executive order that, “excludes persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” he stepped into an already fragile legal framework, causing further concern.
Even Good Ideas Can Pose Technical Difficulties
The GDPR does not address all issues related to privacy. There is also the ePrivacy directive. This directive will cause computer companies to have to change some computer code.
Eva Škorničková is a lawyer based in the Czech Republic, specialising in privacy and data protection. Talking via telephone, she explained that the very definition of the age of consent can vary by member state. According to Škorničková, ‘the ePrivacy Regulation was adopted by the EU commission in January 2017. It is slated for approval by EU Parliament in April or May 2018. The goal is to have that law’s passage coincide with the implementation day for the GDPR.’
The ePrivacy Regulation includes: ‘the right to be forgotten’ (otherwise known as the right to erasure), the right to transport personal data from one company to another, the requirement for children to obtain parental permission to join social media sites, and, depending on the final form the law will take, the right for children to delete items that will embarrass them or complicate their search for employment in the future. The International Association of Privacy Professionals (IAPP) states that with ‘Article 89, controllers will not have to erase or rectify data after the data subject has withdrawn consent.’
All this causes complications for computer companies. Instead of simply lying about their age to join Instagram, 13-year-olds might have to get permission from their parents in order to join via an email opt-in sent to their parents. In terms of referential integrity, any programmer knows you cannot remove a record from a database that is connected to other records. So if a child writes a comment in the middle of a Facebook thread that they wish to later delete, Facebook will have to either delete the whole thread, or write code to remove that one line and then stitch the rest of the thread back together.
As an added complication, Škorničková notes, ‘the implementation allows member countries to write their own rules for some of the 50 articles. The age by which parental consent is required is one of those.’ Currently, the Czech Republic has no social media consent age, while in the UK it is 13.
Another issue is data portability. This is particularly difficult, because it is unclear how a company is going to be able to transfer a person’s data from one firm to another. The rules call for establishing common interfaces for data transfers – but data cannot be easily deleted. For example, how could Google Docs physically remove documents from their system and hand them over to another company? Google Docs does not share data, except in the case of a user losing access to their domain. You can export all your Google docs to a Microsoft equivalent such as .doc, .ppt, and .xls files. Will this manual process by the user suffice for data transfer?
Advertising companies are worried about how EU regulations are going to affect the gathering of data with cookies. They are concerned that even good ideas such as privacy can often end up being distorted and not meeting their original objectives when implemented. We have already seen this with the advent of pop-ups on websites asking for permission to collect data using cookies. The new law proposes that browsers give users control over cookies (something already done with plugins such as Ghostery), yet none of that control operates on iPhone or Android apps that do not use a browser.
Digital agency DigiDay believes this requirement will lead to even more silliness; instead of having one annoying pop-up to click through, there will be many more. It is now becoming common to ask the user permission to gather certain data, similar to how ad blocking pop-ups are used.
Norway’s Vivaldi told Quartz Media they see an opening for their browser because of this change: ‘If we can bring more transparency and control to the user in a way that they can understand, there’s definitely an opportunity.’
Tearing Up Cloud Contracts
Freund believes that tech companies in the EU are thinking about the GDPR more than they are about ePrivacy. Clients are coming to his law firm to run gap analyses to identify current practices that need to change in order to comply with the new regulations. He notes that because of existing EU law, many clients are on the way to being compliant already. He says, ‘usually there is no organisation that is 100% compliant, [but] you do not start from scratch.’
Freund cites the case of an EU-based company using Amazon for their cloud services. Amazon runs support for their data centres 24-hours a day. But while the US or Europe might be running support for their centres during the day, this activity switches to India at night – where model contracts might not be in place.
So it remains to be seen what the fallout will be of all this. What technical changes to applications will have to be made? And how will relations between cloud providers and their customers change? So far there are no visible signs of changes on Facebook (particularly regarding privacy by default) or in cookie collection by ad companies. There is not a lot of time left for companies to meet these new requirements if the ePrivacy directive comes into force by March 2018. Meanwhile, meeting the GDPR would be better handled by implementing simple changes such as encrypting data in transit and seeking approval of procedures and policies from EU regulators.