Collateral Damage in the Cloud: The Jurisdictional War over Personal Data
Tue 23 Jun 2015
Richard Beaumont is the Privacy Services Manager for Governor Technology, a leading data privacy services provider offering bespoke software solutions, products and consultancy to companies looking to understand and manage data privacy compliance and best practice. Here he reviews the consequences of current contentions over data sovereignty in Europe, America and beyond…
It may already be a little clichéd to talk of data as the new oil, but personal data is undoubtedly a lubricant of frictionless digital economics. The wheels of many free services would stop turning if consumers didn’t keep filling the tank with their Likes, tweets and cat videos.
However, just as both consumers and businesses have got used to the idea of sending all this information into the cloud without concerning themselves about where it actually goes, the business model of global services powered by distributed data is coming under attack. New legal frameworks are threatening to create or strengthen digital borders, stemming the flow of personal data migration.
Though legal restrictions on the global movement of personal data are not entirely new, the effectiveness of existing frameworks has more recently been called into question. As this data has become more important, valuable – and of course voluminous – tensions between different interests and cultural attitudes have increased to the point where ‘balkanisation’ of web services and the underlying infrastructure of the web is a very real possibility.
The EU-U.S. Safe Harbour programme
One of the biggest data trade deals is the EU-U.S. Safe Harbour programme, the most relied-upon legal instrument facilitating the exit of personal data from the EU to U.S. companies. That deal has been under threat ever since Edward Snowden went public over the collection and use of personal information by the U.S. and other allied intelligence agencies.
Alongside stories about lapses in regulation of U.S. companies signed up to Safe Harbour, existing arrangements have been the subject of intense negotiation over the last 2 years. As things currently stand, although no-one really wants it, the EU could pull the plug on Safe Harbour if its demands for change are not met by U.S. authorities.
If the data taps are forced off, what then? Much of the transatlantic movement of data would have to be brought to a halt. Even setting aside the economic consequences, the modifications to services required to ensure that data was prevented from flowing illegally would be significant.
One element of web balkanisation is the idea that companies may be forced to keep personal data within the jurisdictional boundaries of its original point of collection or risk not being allowed to trade within that country. In Russia, this is already a reality. From 1 September this year, all personal data on Russian citizens must be located in Russian data centres. Although the publicly-stated reason for this is to protect the privacy rights of Russians, there remain suspicions that the primary purpose is to ensure that State can better monitor its own citizens. Whatever the reason, international companies wanting to do business in Russia are expected to comply.
In the wake of Snowden, similar requirements were proposed in Brazil – although these were dropped at the last minute from an Internet Civil Rights Bill enacted in 2014. However data localisation laws do exist in parts of South East Asia, and India too is reportedly considering the idea.
Back in Europe there are the continuing negotiations over the draft General Data Protection Regulation (GDPR) to consider. This legislative juggernaut is also seeking to extend the jurisdictional boundaries of protection of personal data. Rather than go for a strict localisation approach, the GDPR is about attaching specific rights to the data regardless of where it ends up. Will companies need to develop solutions that tag location origination to personal data to then identify what rights apply?
Ireland at the centre of data sovereignty storms
There is much also talk about the ‘European Cloud’ but it is not really clear what this means. Twitter has recently announced that data of account holders outside of North America will be controlled from Dublin, and therefore subject to Irish Data Protection laws. Dropbox has also followed suit. However, what this may mean in the future in terms of where the data may need to be physically located, and the legal obligations of the data centres involved is very much unresolved.
Facebook has claimed Dublin as its EU regulatory home for years, but Belgian authorities have recently been challenging this assertion, demanding that Belgian law should apply to the personal data of Belgian residents.
Set against a general tide of increasing consumer privacy protections, there are conflicting demands for greater access to personal data for law enforcement. The UK government has talked about there being no place criminals can hide online, an apparent call for back doors and keys to encrypted services, with little recognition of how this might also make systems more vulnerable to the increasing volume and sophistication of malicious attacks on digital systems. Many of these are interested in getting their hands on the same data.
One case making its way through the U.S. courts at the moment involves Hotmail account data held in Dublin. U.S. law enforcement wants the information for an ongoing investigation and is arguing that Microsoft Corp. as the owner of the data centre, is obliged to hand it over under U.S. law. The company would also be obliged to keep that hand-over secret, which could be in breach of Irish law. Microsoft is fighting the case but so far they are losing the battle. If they do eventually have to hand the data over, there could also be a devastating loss of trust amongst its global customer base, as well as consequences for how Microsoft may have to re-structure its services.
Frontline responsibility for compliance with such laws normally lies with the service providers that are collecting the data, but they will look to their infrastructure vendors for both appropriate solutions and assurance of compliance. But the Microsoft case demonstrates it’s not always straightforward, and there are no indications that the stream of contentions and controversies are going to dry up anytime soon.