The end of the EU-US Privacy Shield scheme – One aspect of a larger problem with ‘sensitive data’ transfer between the UK and the EU

A decision by the The Court of Justice of the European Union (CJEU) has just rendered the EU-USA Privacy Shield invalid. This is what allows EU members to move data to the USA without worrying about GDPR. Allegedly – it was always more popular in the USA then in the EU.

So, colour me very unsurprised. The EU Data Protection people I met disliked Privacy Shield. With good reason given US security laws that, in effect, give their spooks access to anything they want – as long as it is stored or processed by a US-owned firm.

This matters because the EU takes the privacy of sensitive personal information about EU citizens very seriously, the USA much less so. You may think that the status quo is working OK, and there is no reason for it to change. There is, we are currently in a Transition period and still being treated as a member of the EU, more or less; this will stop at the end of 2020 and (unless a deal gets negotiated) we will then be fully outside of the EU.

So, imagine this use case: a UK company trades globally and has customers both in the USA and the EU, and uses a US-owned SaaS product. I have heard a US company tell its customers that Privacy Shield was an absolute panacea against any GDPR issues. It never was and, to be fair, the one I’m thinking of built/is building EU data centres (not I hope, just in London, as we aren’t in the EU any longer), because their UK and EU customers simply didn’t believe its assurances.

But how good are the US SaaS provider’s internal procedures at ensuring that no sensitive data on an EU server can ever find its way onto a US server, perhaps as a backup or contingency file? And would it refuse to hand over EU data from its EU servers if an American security agency asked for them? Until now, it probably relied on Privacy Shield to cover such eventualities. Whether that worked or not in the past, now it definitely doesn’t. I await some test cases with interest – the GDPR regulations have teeth and are more concerned with the principles of data privacy than the letter of the law anyway.

Also on the CIO WaterCooler
GDPR: Why print is a crucial element of endpoint security

My understanding, based on lectures at the IoD on the impact of Brexit a year or so back, is that this is one aspect of a far bigger potential problem for any UK company that allows the sensitive data of EU citizens, perhaps domiciled in the UK, onto its databases. The EU expects this EU data to have the same “adequate” level of protection in these UK databases as it would have in the EU – and this protection is determined as “adequate” by the EU data protection authorities. Boris Johnson can’t attain “adequacy” unilaterally by implementing GDPR in the UK (no matter what he says), this has to be granted by the EU (and parts of Germany that are very hot on privacy have, in effect, a veto).

As far as I can see, there are five possible (more or less sensible) consequences for a UK company that currently sells to EU citizens (but please do check this with your lawyers; and make sure that they really do understand GDPR):

  1. It follows UK GDPR rules and hopes that no EU citizen minds. That is very high risk, so I hope its risk management processes are first-rate. The Privacy Shield case shows that some EU citizens really do care about privacy (the EU regulators certainly do); the GDPR fines can be swingeing (I’d think they’d fall on any company representatives in the EU); and the EU regulators have a reputation for liking high profile test cases that remind firms that. GDPR matters.
  2. It refuses to trade with any EU citizens under any circumstances. That might be hard to enforce and has business implications, but it may be the simplest way out for many SME UK-only traders. Post Brexit, the whole world may not be our oyster.
  3. It sets up its customer database in the EU and only stores and processes the data of EU citizens in the EU. That is non-trivial (simply accessing sensitive data from the UK office probably breaks GDPR) but feasible. I hope the company is already well on the way with this project, if it takes this route.
  4. The company simply moves to the EU and sets up business there. Hard luck for UK Plc. – and quite disruptive for the company.
  5. The company sets up Standard Contractual Clauses (SCCs) for the transfer of sensitive data, in the context of a GDPR-compliant privacy program. This is probably going to be the least-worst option, in practice, but it is non-trivial, IMO, and is also subject to legal challenge. It will not be further considered here, except to say that GDPR-aware US companies are probably already pursuing this route and have the resources to do so. I don’t think that this is any sort of simple panacea – but do talk to your lawyers if you think you are affected by SCCs or want to implement them, don’t just take someone’s word as to their adequacy.
Also on the CIO WaterCooler
CIO WaterCooler Focus: Post-Deadline GDPR

There is a possible sixth consequence. Everybody ignores this cross-border sensitive data transfer issue until the day after transition ends – and chaos ensues. Or perhaps, with rather a lot of luck and good-will, nothing happens. But in a long life I’ve usually found that ignoring a potentially serious problem and hoping that it just goes away, tends to end up being very expensive.

What would be extremely nice, as part of any sort of Brexit deal, is an ‘adequacy decision’ from the EU covering the UK implementation of GDPR – but there are serious difficulties with this (when the UK rejects the EU’s Charter of Fundamental Human Rights, data privacy is no longer a fundamental human right, for example), so don’t hold your breath.

To summarise, what this all means is that managing cross-border data movements between EU and non-EU countries really does matter, largely because of GDPR and because the regulations have to be agreed with the EU and can’t be implemented unilaterally by the UK. This is a particular problem for the UK (as opposed to, say, Australia) because UK business has been heavily integrated with EU business for a long time. It is very hard to see how UK-EU trade can operate without some movement of the sensitive data of EU citizens between the EU and the UK and UK companies should already have started to address the implications of this issue. Has your company started on this yet?

David Norfolk

My current main client is Bloor Research International, where I am Practice Leader with responsibility for Development and Governance. I am also Executive Editor (on a freelance basis) for Croner's IT Policy and Procedures (a part-work on IT policies). I am also on the committee of the BCS Configuration Management Specialist Group (BCS-CMSG). I became Associate Editor with The Register online magazine – a courtesy title as I write on a freelance basis – in 2005. Register Developer, a spin-off title, started at the end of 2005, and I was launch editor for this (with Martin Banks). I helped plan, document and photograph the CMMI Made Practical conference at the IoD, London in 2005 (http://ww.cmminews.com). I have also written many research reports including one on IT Governance for Thorogood. I was freelance Co-Editor (and part owner) of Application Development Advisor (a magazine, www.appdevadvisor.co.uk, now defunct) for several years. Before I became a journalist in 1992, I worked for Swiss Bank Corporation (SBC). At various times I was responsible for Systems Development Method for the London operation, the Technical Risk Management framework in Internal Control, and was Network Manager for Corporate group. I carried out a major risk evaluation for PC systems connecting across the Bank’s perimeter to external systems and prioritised major security issues for resolution by the Bank’s top management in London. I also formulated a Security Policy for London Branch and designed a secure NetWare network for the Personnel Dept. Before 1988 I was an Advisory Systems Engineer in Bank of America, Croydon in database administration (DBA). on COBOL-based IMS business systems. Before 1982, I worked in the Australian Public Service, first as a DBA in the Dept of Health (responsible for IMS mainframe systems) and latterly as a Senior Rserach Officer 2 in the Bureau of Transport Economics. Specialties: I have the ability to extract the essence of significant technical developments and present it for general consumption, at various levels, without compromising the underlying technical truth.

Have Your Say:

CIO WaterCooler