Analysis of EU-US Privacy Shield

From Dan Shearer CV
Revision as of 17:34, 25 November 2021 by Dan (talk | contribs) (→‎Summary)

Privacy Shield was a 2016 self-certification scheme for US companies to hold themselves to the strict privacy rules of the European Union when processing data related to EU entities. I have been researching, advising, consulting and teaching on the collapse of Privacy Shield since 2016, including this substantial 2017 Privacy Shield paper which has extensive detailed references.

On 16th July 2020, the EU Court of Justice struck down the EU-US Privacy Shield. The effects are only just becoming clear in 2021, as users begin to realise that changes will be required to avoid using US cloud products.

Summary

This is the second time this court has decided the same question, so this is settled. In brief, after 4 years, the Court is satisfied that the United States violates the privacy of EU citizens and therefore US companies are not permitted to hold the personal data of EU citizens and residents. There are some unclear areas and the giant US cloud companies are using their money to spin this issue, but it seems the Court has said their must an irreversible shift away from US cloud companies. Even if they promise to hold data within the EU, and even if they are otherwise highly compliant. There is no getting around the fact that the US government is likely to access any data at any time without asking.

The details are complicated, but factors include:

  • the Digital Single Market
  • the Human Rights-Based privacy laws of the EU
  • various US Presidental Executive Orders stripping privacy protections from non-US citizens
  • conflicting privacy defaults in EU and US laws
  • dependence on goodwill of the US president to respect EU privacy, rather than relying on US statue.

These are a maze of overlapping interests and conflicts.

FAQ

What Does This Mean for Cloud Companies?

US Cloud companies such as Google, Amazon, Ebay etc from 2021 are slowly becoming either deprecated or illegal to use within Europe. Multiple countries have already banned these companies for government use, and the restrictions keep tightening. They are fighting hard, but this is not the first time the same court has passed the same judgement. There is no legal change for EU-based cloud companies, which are unaffected.

What Does This Mean for EU Tech Companies?

Opportunity. Facebook, Gmail and Amazon AWS (for example) are far from unique and their technical features have already been replicated elsewhere, although they have large amounts of cash to help them fight and evolve. EU tech companies who have standardised on Google or Amazon APIs for example already know they are committed to regular refreshes and upgrades so change is not unthinkable. For EU Cloud suppliers, competition is already fierce but the barrier to entry is still quite low, once the US Cloud providers are barred. So far it is just EU government that is actively banning US cloud, but this seems to be an inevitable shift.

What Does This Mean for EU Consumers?

This process can feel a little like looking for ecological alternatives to common items. Some services are immediately replaceable, such as email. Some require a thoughtful approach depending on the user, such as the physical aspects of Amazon shopping and delivery.

Isn't EU Cloud Immature?

Not any more. If you are insisting on hyperscale cloud, there are few EU companies. But why do you want hyperscale cloud?

Why is Privacy Described as a Race to the Top?

"Race to the Top" describes the entire problem of the EU-US Privacy Shield. The EU has much higher standards in privacy than the US. An EU company can easily detune from EU standards to US standards if required to do business in the US, within certain limitations. It is definitely easy from a technical point of view if systems have been designed with this in mind. Unfortunately for US companies, doing things the other way around is not possible. Even if the US company complies perfectly with every law, the decisions of the US mean that they still have to make EU data available to the US Government. EU companies have a very significant advantage.

Is the US Government Really That Bad?

Yes they are, even if some others are just as bad, only the US has a majority of the cloud services used by EU citizens and residents. The US explicitly removes all protections from everyone in the world. The US Presidential Executive Order Enhancing the Public Safety states:

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

(to be quite precise, there was some protection in an agreement called the EU-US Umbrella Agreement, and the US Congress passed the Judicial Redress Act to make the Umbrella Agreement effective. But in July 2020 the EU Court of Justice said none of that is any use. The US still spies on all data all the time, and that is against EU law, therefore US cloud is not permitted to hole EU personal data. These details are in the paper referenced above.)