India is following Russia and others in imposing data sovereignty restrictions that specify that data must remain in country. Meanwhile the European Parliament has called for the suspension of Privacy Shield from 1st September. How should ethical, customer-centric organisations respond?
India is just the latest in a number of countries to seek to implement policies that impose data sovereignty restrictions on the storage of data. It joins Russia and others in specify that data must remain in country. The emergence of such island of data sovereignty come just as the future of one of the main international data sharing frameworks comes into question.
A storm is on the horizon with the current status of the data sharing framework between the EU and the US called Privacy Shield being called into question. This is utilized by many organisations to demonstrate adequate levels of personal data protection permitting transfer of such data between the EU and the US.
Privacy Shield was adopted in July 2016 as a replacement to Safe Harbor. In a 2015 decision by the European Court of Justice, Safe Harbor was determined to provide inadequate privacy protection.
The EU and US authorities then hurriedly introduced Privacy Shield as a replacement legal framework. Under the Privacy Shield certification process, companies must self-certify their commitment to compliance with the Privacy Shield requirements. Oversight has been somewhat more rigorous in the EU, where privacy is seen as a human right, than in the US, where there has been minimal commitment to enforcing the framework.
A number of major issues have been identified, including:
- Examples of major abuse: The Facebook / Cambridge Analytica scandal exposed ongoing abuses of the framework’s provisions that had not been addressed at all by US authorities (Facebook was certified under Privacy Shield).
- Inadequate Oversight and Redress: The EU had been grumbling about the lack of a permanent, highly-qualified person in the role of ombundsperson. This was even before it was announced that Judith Garber, who had been acting in a temporary capacity as ombudsperson for Privacy Shield, would be the next U.S. ambassador to Cyprus. No replacement, temporary or permanent, has yet been announced for the ombundsperson role.
- Legislative Conflict: the original certification framework was based on the now defunct EU directive 95/46, which replaced has since been replaced by GDPR. At the same time the US has recently reauthorization FISA provisions that allow for the collection of non-U.S. individuals’ personal data by U.S. intelligence agencies and has also introduced the CLOUD Act that which eliminates protection for data stored overseas, and also gives firms that operate in the US no legal recourse to withhold data from the NSA and other law enforcement bodies. GDPR, FISA and the CLOUD Act are not only yet to be reflected in the Privacy Shield framework, but also seen as being incompatible with one another, making their incorporation problematic.
Such concerns have lead European privacy organizations and agencies to call for the suspension and/or outright revocation of Privacy Shield. Similar concerns and challenges have been levelled against the “Standard Contractual Clauses”, which are another mechanism to ensure the compliant transfer of EU personal data out of the EEA to jurisdictions that the European Commission has not deemed to be “adequate”.
The continuing legal uncertainty about transferring personal data out of the EU has led many global companies, in particular those from the US, to establish data processing and storage capabilities within the EU, and in some cases specifically within the UK.
This enables the global giants to avoid the data transfer issues, but does not in itself address concerns about data jurisdiction. Foreign sovereign powers can and do demand access to data if the company holding that data is subject to the foreign jurisdiction. In the absence of any specific agreements between the EU and US about these kinds of data transfers, question marks remain over GDPR compliance, and there are further serious implications for Privacy Shield’s future.
How should ethical, customer-centric organisations respond?
All organisations operating in the EU and holding or processing personal data will need to be actively continuing efforts to achieve (and maintain) GDPR compliance. Those that also transfer data across the Atlantic and currently relying on Privacy Shield to demonstrate adequate data transfer protections, will also need to monitor developments regarding Privacy Shield and consider additional and alternative methods of demonstrating compliance. Those organisations that pride themselves in being particularly ethical and customer-centric may want to take further provisions, such a ensuring data sovereignty for all personal data.
Example: the NHS in the UK
Guidance from NHS Digital on the off-shoring and the use of public cloud services states that:
NHS and Social care providers may use cloud computing services for NHS data. Data must only be hosted within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.
With the risks of revocation or suspension of Privacy Shield now escalating, reliance on Privacy Shield alone is inadvisable. Trusts could consider the use of the EU Standard Contractual Clauses, although these are also being challenged in the European courts, or prepare for whatever other methods are approved by the EU regulatory authorities following the Privacy Shield review. A more certain (risk-free) course of action would be to opt for complete data sovereignty for patient data by retaining the data in the UK and using a UK-based service provider for these workloads.
Firms that operate in the US are subject to US law, including FISA and the CLOUD Act, neither of which will easily be incorporated into the next version of Privacy Shield. While they can offer a level of data residency (offering to keep your data in the UK), the CLOUD Act eliminates protection for data stored overseas, and provides them with no legal recourse to withhold data from the NSA and other US law enforcement bodies, meaning that they cannot guarantee data sovereignty.
Recent research by the Corsham Institute highlighted increasing patient awareness of data privacy issues with a growing public desire for more information on data storage in the NHS. 88% of adults said that it is important to know where and how their patient data is stored and 80% said that it is important to know whether patient data is hosted by companies whose headquarters are outside of the UK.
While public confidence in the NHS is currently high, the significant increase in privacy awareness means that there’s a real risk that any incidents, such as a repeat of the Wannacry malware, could expose weaknesses in sovereignty, efficiency and data security, leading to a potential patient backlash. Further details of the Corsham Institute research can be found here.
With many Trusts already opting to ensure data sovereignty by placing patient data and workloads
with UK-based cloud service providers, there is no reason that other Trusts should not follow suit. After all there is no real need to move patient data off shore or to use foreign service providers, no real need for trusts to expose themselves to risks relating to the potential revocation or suspension of Privacy Shield and no real need to expose themselves to a potential patient backlash in the event of future incidents.
What does this mean for customer-centric organisations in other locations?
Well it might also be wise to follow the example of these Trusts and accelerate their move to the cloud in order to enhance operational efficiency, but do so without neglecting data sovereignty. If there is no real need to move private data off shore or store it with foreign firms, then why do so?
By Bill Mew