Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Articles The End of the Privacy Shield Agreement Could Lead to Disaster for Hyperscale Cloud Providers

The End of the Privacy Shield Agreement Could Lead to Disaster for Hyperscale Cloud Providers

Leia em Português

Key Takeaways

  • While the Privacy Shield agreement has been terminated, Standard Contractual Clauses (SCCs) haven’t been annulled.
  • Cloud infrastructure bigshots are trying to retain and pacify customers by issuing misleading statements that will only confuse users.
  • Non-compliance with surveillance laws can be very costly for the guilty parties.
  • Reforming US surveillance laws, though optimistic, is the only plausible solution to protect people from paying hefty fines.

According to the new Cloud Adoption in 2020 report from O’Reilly Media, there has been a significant increase in dependence on cloud computing. While this would normally be good news for major hyperscale cloud providers, the recent ending of the Privacy Shield agreement by the European Court of Justice (ECJ) might just be a spoiler nobody expected.

Privacy activists predict that the demise of the Privacy Shield agreement can create serious ramifications, which can put tremendous pressure on big-name cloud infrastructure providers like Amazon Web services (AWS), Microsoft, and Google.

Read on as we discuss what this means for customers that use the services of these providers and whether there are solutions that can help fix this issue.

What was the Privacy Shield?

The Privacy Shield Framework was an agreement between the EU and US that aimed to provide ‘companies on both sides of the Atlantic with a mechanism to comply with data protection requirements in support of transatlantic commerce,‘ as per the statement on the framework’s website. 

In other words, the framework was a recognized mechanism for complying with EU data protection requirements whenever personal data was transferred from the European Economic Area (ETA) to the United States. 

It forced businesses to process or transfer personal data in a manner that is consistent with the Privacy Shield principles. The parties were also fully accountable and required to take the necessary measures to keep personal data secure from any unauthorized access and protect it.

Here’s an at-a-glance list of the seven Privacy Shield principles:

  • Notice: It’s necessary for organizations to publish privacy notices that contain specific information about their participation in the Privacy Shield Framework. This includes privacy practices, EU resident’s data use, and data collection and sharing with third parties.
  • Choice: Organizations must have a mechanism in place that allows individuals to opt-out of disclosing personal information to third parties or having their data used for different purposes other than ones specified.
  • Accountability for Onward Transfer: Organizations must enter into contracts with third parties or agents who will process personal data for and on behalf of the organization. They should also be consistent with the Privacy Shield principles.
  • Security: Reasonable and appropriate measures must be taken by organizations to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
  • Data Integrity and Purpose Limitation: Organizations have to take reasonable steps to limit possessing the original purposes for data collection and processing.
  • Access: Organizations must provide a method to request access, correct, amend, or delete the collected data.
  • Records, Enforcement, and Liability: Organizations will have to face the consequences for any noncompliance. This principle also addresses the recourse for affected individuals and compliance verification.

The idea here was to ensure stronger supervision and enforcement activities by the US government organizations, along with improving cooperation and transparency for the involved parties. It was particularly beneficial for EEA citizens since it provided them with new privacy and security protections to prevent critical data breaches and enhance complaint resolution.

Why was the Privacy Shield Framework annulled and what it means for you?

Recently, the ECJ concluded that Privacy Shield was failing – it failed to protect the privacy of the people whose data was being transferred to the US.

The body found that US surveillance programs were not limiting themselves to what was necessary, and that data subjects didn’t have legal recourse in the US in the event of complaints. In the end, the ECJ ended up annulling the Privacy Shield agreement, which left the future of EU-US data transfers stuck in legal limbo.

You see, organizations need access to personal data for better decision-making that can ultimately accelerate growth and development. But this shouldn’t be at the cost of losing control over the processing and transfer of data. 

Further, the complexity of modern era software applications, with the need to deploy them across different platforms and devices has made software testing imperative to prevent unauthorized authorities from gaining access to personal data. The added urgency of the news constantly brimming with successful cyberattacks has also heightened the need to embrace thorough quality assurance (QA) testing methodologies in order the use of software applications and transfer of information through the internet is as safe as possible. 

However, considering how flawed the current data privacy landscape is, data anonymity is still a distant dream – at least when we take into account the current landscape.

It was a leading privacy advocate, Max Schrems, who challenged the Privacy Shield agreement and argued that the US security laws were inadequate and hence, not safeguarding the data of EU citizens from surveillance. 

Schrems demanded the suspension of Facebook’s future use of Standard Contractual Clauses (SCCs), which is a mechanism that authorizes shifting user data to the US for processing, from the Irish Data Protection Commission (DPC).

While it did end the Privacy Shield agreement, the SCCs aren’t safe either. Although the latter is still theoretically usable, they aren’t a viable option for transferring EU personal data to the US in the absence of additional protections against the US government surveillance.

A tough realization for cloud infrastructure providers

Companies like Amazon Web Services (AWS), Google, and Microsoft were initially happy that SCCs weren’t annulled. But they soon realized how the Privacy Shield ruling could have more adverse consequences for them in the long run.

Soon all the three big shots issued statements in a bid to assure the customers that their clouds were still open, with Microsoft assuring their commercial or public sector customers that they could continue using Microsoft service without breaking the European law.

However, a few privacy advocates were quick to point out that only those companies who continue to use SCCs can continue providing assurances about data protection from third-party surveillance that are either at rest or in transit. So several of these statements were misleading.

Google, for instance, is an electronic communication service provider, as a result of which it falls under both categories. The platform may very well be the largest search engine. Yet, the increasing awareness of data security and privacy might force users to look for other reliable options that assure the more secure sharing of private information online. 

Virtual private networks (VPNs) help you achieve that by securing your public internet connection through encryption and shielding your online activity from cybercriminals (as well as your own Internet Service Provider, or ISP). In terms of your online privacy, the most secure VPNs today are transparent about their privacy policies, take steps to fix leaks, and won’t keep logs of your browsing history.

Understanding available options for companies to continue moving data from the EU to the US

Companies that do business in the EU and bring customer data to the US need to make dramatic changes to ensure data privacy. Otherwise, they may end up paying significant fines.

Below, we have discussed the five available options for companies to carry on undisrupted businesses, depending on the extent of potential impact.

Option 1: Have SCCs put in place

Agreements to enable data transfer between companies or companies and consumers will likely have a fall-back clause – provided they were well-written. If yes, this will automatically sanction SSCs to govern data transfer in case of previously shared annulment. 

Basically, what companies can do is review their contracts to make sure that SCC is in place and enabled. If not, they can get the signature or an addendum signed to enable SSC as a part of every customer agreement.

Option 2: Halt data transfer from the EU to the US altogether

In the absence of Privacy Shield or SCC, companies should consider stopping any transfer of data from the EU to the United States if they don’t want to face significant fines.

Companies that can stop data transfer to the US and can manage to operate exclusively in the EU will not only avoid fines but also avoid any contract review and amendment. At the same time, this can be challenging for companies, especially those who are accessing company tools and services with EU customer data.

Option 3: Open a legitimate EU location

You‘ll find that most of the big Internet consumer companies have an EU-based data controller, which gives them the advantage of the one-stop-shop principle.

This allows them to choose the EU country they want to deal with regards to privacy matters, along with helping them enlist the services of an EU-based DPO and have a backup data transfer mechanism.

The catch here is this process is fairly expensive. To qualify as an EU controller, organizations need to staff it, so that the entity can “determine the purposes and means of the processing of personal data.“ In other words, hiring a DPO becomes a mandate.

In the past, the IIRC, the Irish Data Protection Commission, has chastised a few companies for not staffing their controllers adequately, which created problems for them to meet the GDPR requirements. The privacy lawyers for these companies remained in the US headquarters.

Plus, having an EU location also increases GDPR-enforcement risks for organizations.

Option 4: Casually opening an EU operation

Opening an EU operation can be done in three easy steps:

  1. Contract with a company that can act as your controller
  2. Find and hire an outside counsel to be your DPO
  3. Sign standard contractual clauses

This option has its own share of positive and negative. The biggest benefit is that it’s certainly cheaper. However, the whole thing looks like a sham since the controller isn’t exactly acting as a controller. This person has no say on how the company uses personal data.

The other disadvantage is you won’t be off the hook when it comes to fines, thanks to a controller-indemnification in place. Let’s not forget that since the controller will be right there in the EU, it won’t be difficult to issue and get lucrative fines on companies.

Option 5: Cease business operations between the US and the EU

Yes, this is definitely a costly solution, but it’s a solution nevertheless.

American companies may have to stop doing business in the EU, and EU companies will have to stop using American companies as vendors. This, of course, would only apply to companies that transfer data for business.

After all, if you’re not going to comply with the GDPR, the next best option is to not be in the EU at all, especially since the EU has been rather unwilling to try to enforce the GDPR in the US.

If you’re considering things from a theoretical point of view, then it does sound doable. A data protection commissioner (DCP) based in the EU could issue a fine and then fly across the Atlantic to ask a US court to enforce it.

In reality, however, the DPCs aren’t willing to even look at a US-only company.

Other legal mechanisms

Organizations can resort to something known as Binding Corporate Rules (BCRs) as well when transferring data. There are still problems, though.

First and foremost, BCRs are very complex to set up, especially when it’s a joint venture or fractional ownership. The involved entities have to accept liability for litigation by data subjects.

Secondly, they need formal approval from the organization’s local EU regulator. Considering the new context, this is not an easy feat and can also cause significant delays. Also, despite covering commercial dealings, Article 49 derogations cannot be used for repetitive transfers. But yes, they could expedite occasional sales from the US to the EU.

As for the US, no solutions seem to be in place. State officials have expressed disappointment at the Privacy Shield invalidation, but are still claiming to study the decision to understand its practical impacts. Moreover, they are hoping to limit the negative consequences to the $7.1 trillion transatlantic economic relationships, but if they don’t take the measures to operate within a reasonable timeframe, substantial losses will be made.

Now, it’s true that the whole process will take time, but that doesn’t change the fact that there is a high possibility of existing data flows to the US to be deemed unlawful in many cases.

US surveillance law reforms are a necessity

Keeping this mind, non-compliance with laws can prove to be a costly affair. Financial literacy can keep people out of bad situations, but considering only 24% of millennials, who are the largest generation in American history demonstrate it, highlights the importance of having a more permanent solution. 

For instance, Facebook had to pay a staggering $5 billion fine after violating a 2012 FTC order by deceiving users about their ability to control the privacy of their personal data. Even Google and British Airways paid $59 million and $235 million approximately for a lack of transparency on data harvesting and inadequate security mechanisms, respectively.

The fitting solution then? Reforming US surveillance laws. The only catch here is this is still a long shot.

You see, if tech companies want to work out a deal to have a fall-back plan in the form of an SCC to continue data transfer, the US surveillance laws will have to be revamped to enhance protection. While this is definitely a challenging task, there is still enough wiggle room to get a compromise.

Additionally, a European cloud project known as Gaia-X was also unveiled at the beginning of 2020. This initiative is a collaboration between the European Commission (EC), France, Germany, and other organizations on the other side of the Atlantic. Investments are already rolling in to restore the continents ‘technological sovereignty.‘

The fact that US cloud firms cannot use the SCCs until the US laws are reformed can give a solid momentum to this Europe initiative, which, in turn, increases the pressure on AWS, Microsoft, and other cloud infrastructure providers.

The bottom line

Customers are becoming increasingly aware of the cruciality of data privacy and security.

In the US, it’s still the states that are driving the dialogue as far as privacy law is concerned. So hoping for surveillance law reforms is definitely an optimistic but not a reliable solution. The recent Gaia-X initiative also creates a compelling business case.

Nevertheless, it’ll be interesting to see what the hyper-scalers will figure out to stay in Europe to maintain their dominant market share given the circumstances.

About the Author

Nahla Davies is a software developer and tech writer. Before devoting her work full time to technical writing, she managed—among other intriguing things—to serve as a lead programmer at an Inc. 5,000 experiential branding organization whose clients include Samsung, Time Warner, Netflix, and Sony.

Rate this Article