Analysis of EU-US Privacy Shield
Privacy Shield was a 2016 self-certification scheme for US companies to hold themselves to the strict EU privacy rules. In 2020 Privacy Shield was struck down by the EU Court of Justice. In non-technical terms, the Court said: There is no way Privacy Shield can work. So don't use US-controlled cloud companies such as Google or Amazon.
In late 2021 this decision started rippling out across Europe, as one place and then another moves away from these giant US companies, starting with government users. We all like familiarity and wish to avoid change, so this decision seems astonishing to many people. Once organisations get over their surprise, it is not so difficult to do. It remains to be seen what these US companies will do in 2023. Some of them are wealthier than several smaller EU nations combined.
I have been researching, advising, consulting and teaching on the collapse of Privacy Shield since 2016, including this substantial Privacy Shield paper with extensive references, if you like footnotes.
In 16th July 2020, the EU Court of Justice decision striking the EU-US Privacy Shield was the culmination of years of effort by many people to highlight human rights abuses. Privacy and human rights are two sides of the same coin, and this is demonstrated clearly in privacy shield.
Summary
This is the second time the Court of Justice has decided the same question. In brief, after 4 years, in 2020 the Court was completely satisfied that the United States violates the privacy of EU citizens when the personal data of EU citizens is visible to the US government, and that the US has no intention of changing its behaviour. Therefore, US companies are not permitted to hold the personal data of EU citizens and residents.
There are a few unclear areas and the giant US cloud companies are using their money to spin this issue, but it seems the Court has started a measurable shift in attitudes towards US cloud companies. Even if these companies promise to hold data within the EU, and even if they are otherwise highly compliant, there is no getting around the fact that the US government insists it is able to access all data at all times without asking permission or informing anyone.
The details are complicated, as documented in the paper mentioned in the first paragraph above. Factors include:
- the Digital Single Market
- the fact that the six or so EU security and privacy laws are based on international Human Rights (derived from the UN Charter of Human Rights)
- various US Presidential Executive Orders stripping privacy protections from non-US citizens, which almost-but-don't-quite apply to EU citizens, yet
- conflicting privacy defaults in EU and US laws
- dependence on goodwill of the US president to respect EU privacy, rather than relying on US statue
- US Supreme Court decisions allowing a kind of Universal Jurisdiction in data matters
These are a maze of overlapping interests and conflicts, and while it is important for specialists to follow the ins and outs, in the end there is one clear message:
- If you are dealing with personal data of EU citizens or residents, including any communication where at least one party is an EU citizen or resident or is even in the EU at the time of the communication... then you should not be using US companies to handle that data
FAQ
Is This Just About Pure Human Rights?
- No. The EU decided in 2014 to create a Digital Single Market to mirror the physical Single Market. The EU calculated that the only way to do this was to foster trust in consumers, and the only way to do that was to emphasise privacy as a basic Human Right. The thinking of the EU is that economic prosperity will follow if Human Rights are respected. But yes, it is also about pure Human Rights too.
What Does This Mean for Cloud Companies?
- US Cloud companies such as Google, Amazon, Ebay etc from 2021 are slowly becoming either deprecated or illegal to use within Europe. Multiple countries have already banned these companies for government use, and the restrictions keep tightening. These cloud companies are fighting hard, but this is not the first time the same court has passed the same judgement. There is no legal change for EU-based cloud companies, which are unaffected.
What Does This Mean for EU Tech Companies?
- Opportunity. Facebook, Gmail and Amazon AWS (for example) are far from unique and their technical features have already been replicated elsewhere, although they have large amounts of cash to help them fight and evolve. EU tech companies who have standardised on Google or Amazon APIs for example already know they are committed to regular refreshes and upgrades so change is not unthinkable. For EU Cloud suppliers, competition is already fierce but the barrier to entry is still quite low, once the US Cloud providers are barred. So far it is just EU government that is actively banning US cloud, but this seems to be an inevitable shift.
What Does This Mean for EU Consumers?
- This process can feel a little like looking for ecological alternatives to common items. Some services are immediately replaceable, such as email. Some require a thoughtful approach depending on the user, such as the physical aspects of Amazon shopping and delivery.
Isn't EU Cloud Immature?
- Not any more. If you are insisting on hyperscale cloud, there are few EU companies. But why do you want hyperscale cloud?
Is the US Government Really That Bad?
Yes. Even if some others are just as bad, only the US has a majority of the cloud services used by EU citizens and residents. The US explicitly removes all protections from everyone in the world. The US Presidential Executive Order Enhancing the Public Safety states:
- Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
(to be quite precise, there was some protection in an agreement called the EU-US Umbrella Agreement, and the US Congress passed the Judicial Redress Act to make the Umbrella Agreement effective. But in July 2020 the EU Court of Justice said none of that is any use. The US still spies on all data all the time, and that is against EU law, therefore US cloud is not permitted to hole EU personal data. These details are in the paper referenced above.)
What About the UK?
The UK is no longer in Europe, although for an interim period it is legal to store the data of EU citizens in the UK. The UK has backed the US repeatedly in its data protection laws. It is beginning to look like Data Mobility Post-Brexit is going in one direction only, which is away from the UK. This is not yet settled case law, but changes are happening fast in this area. The UK has very little relevance to Privacy Shield-type issues any more.
Why is Privacy Described as a Race to the Top?
- "Race to the Top" describes the entire problem of the EU-US Privacy Shield. The EU has much higher standards in privacy than the US. An EU company can easily detune from EU standards to US standards if required to do business in the US, within certain limitations. It is definitely easy from a technical point of view if systems have been designed with this in mind. Unfortunately for US companies, doing things the other way around is not possible. Even if the US company complies perfectly with every law, the decisions of the US mean that they still have to make EU data available to the US Government. EU companies have a very significant advantage.