Data Sovereignty: the Only Truly Safe Path to Avoid Privacy Shield Turmoil

With the European Parliament calling for the suspension of Privacy Shield from 1st September, how should ethical, customer-centric organisations respond?

Privacy is not just a legal obligation, it is an ethical commitment and a demonstration that you care about your customers’ privacy as much as they do.

Many people will be surprised to hear that although the EU General Data Protection Regulation (GDPR) took effect on 25th May, many companies are not yet GDPR-compliant. The regulation requires organisations to comply, and our Information Commissioner has signalled that organisations need to be actively continuing efforts to achieve (and maintain) compliance.

Of course, those organisations that have an ethical commitment to privacy and that wish to demonstrate that they care about their customers’ privacy as much as they do, will be among the cohort that are already compliant. And they will do everything in their power to remain compliant.

Potential fines for violating the GDPR are significant. They include up to four percent of an organisations’ annual profits or €20 million (approximately $23 million) – whichever is greater. The fines are not the only thing to worry about though. The Information Commissioner’s office (ICO) can also revoke an organisations’ right to process data, a sanction that could be crippling. And then there is the reputational damage associated with any data breach. Ethical, customer-centric organisations will be acutely aware of customer opinion and loyalty, and this will be foremost in the minds – far ahead of the actual fines.

The Data Sovereignty Dilemma

A storm on the horizon is the current status of the data sharing framework between the EU and the US called Privacy Shield. This is used by many organisations to demonstrate adequate levels of personal data protection, permitting transfer of such data between the EU and the US.

Privacy Shield was adopted in July 2016 as a replacement to Safe Harbor. In a 2015 decision by the European Court of Justice, Safe Harbor was determined to provide inadequate privacy protection.

The EU and US authorities then quickly introduced Privacy Shield as a replacement legal framework. Under the Privacy Shield certification process, companies must self-certify their commitment to compliance with the Privacy Shield requirements. Oversight has been somewhat more rigorous in the EU, where privacy is seen as a human right, than in the US where there has been minimal commitment to enforcing the framework.

Numerous concerns, including the abuse exposed by the Cambridge Analytica scandal, have led European privacy organisations and agencies to call for the suspension and/or outright revocation of Privacy Shield. Similar concerns and challenges have been levelled against the “Standard Contractual Clauses”, which are another mechanism to ensure the compliant transfer of EU personal data out of the EEA to jurisdictions that the European Commission has not deemed to be “adequate”.

The continuing legal uncertainty about transferring personal data out of the EU has led many global companies, in particular those from the US, to establish data processing and storage capabilities within the EU, and in some cases specifically within the UK.

This enables the global giants to avoid the data transfer issues but does not in itself address concerns about data jurisdiction. Foreign sovereign powers can and do demand access to data if the company holding that data is subject to the foreign jurisdiction. In the absence of any specific agreements between the EU and US about these kinds of data transfers, question marks remain over GDPR compliance, and there are further serious implications for Privacy Shield’s future.

How should ethical, customer-centric organisations respond?

All organisations operating in the EU and holding or processing personal data will need to be actively continuing efforts to achieve (and maintain) GDPR compliance. Those that also transfer data across the Atlantic and currently relying on Privacy Shield to demonstrate adequate data transfer protections, will also need to monitor developments regarding Privacy Shield and consider additional and alternative methods of proving compliance. Those organisations that pride themselves in being particularly ethical and customer-centric may want to take further provisions, such as ensuring data sovereignty for all personal data.

Example: the NHS

Guidance from NHS Digital on the off-shoring and the use of public cloud services states that:

NHS and Social care providers may use cloud computing services for NHS data. Data must only be hosted within the European Economic Area (EEA), a country deemed adequate by the European Commission, or in the US where covered by Privacy Shield.

With the risks of revocation or suspension of Privacy Shield now escalating, reliance on Privacy Shield alone is inadvisable. Trusts could consider the use of the EU Standard Contractual Clauses, although these are also being challenged in the European courts, or prepare for whatever other methods are approved by the EU regulatory authorities following the Privacy Shield review. A more certain (risk-free) course of action would be to opt for complete data sovereignty for patient data by retaining the data in the UK and using a UK-based service provider for these workloads.

Firms that operate in the US are subject to US law, including FISA and the CLOUD Act, neither of which will easily be incorporated into the next version of Privacy Shield. While they can offer a level of data residency (offering to keep your data in the UK), the CLOUD Act eliminates protection for data stored overseas, and provides them with no legal recourse to withhold data from the NSA and other US law enforcement bodies, meaning that they cannot guarantee data sovereignty.

Recent research by the Corsham Institute highlighted increasing patient awareness of data privacy issues with a growing public desire for more information on data storage in the NHS. 88% of adults said that it is important to know where and how their patient data is stored and 80% said that it is important to know whether patient data is hosted by companies whose headquarters are outside of the UK.

While public confidence in the NHS is currently high, the significant increase in privacy awareness means that there’s a real risk that any incidents, such as a repeat of the Wannacry malware, could expose weaknesses in sovereignty, efficiency and data security, leading to a potential patient backlash. Further details of the Corsham Institute research can be found here.

With many Trusts already opting to ensure data sovereignty by placing patient data and workloads with UK-based cloud service providers, there is no reason that other Trusts should not follow suit. After all there is no real need to move patient data offshore or to use foreign service providers. Nor the need for trusts to expose themselves to risks relating to the potential revocation or suspension of Privacy Shield and no real need to expose themselves to a potential patient backlash in the event of future incidents.

Other customer-centric organisations might also be wise to follow the example of these Trusts and accelerate their move to the cloud in order to enhance operational efficiency, but do so without neglecting data sovereignty.