Having your cake and eating it

To say that 2016 has been an interesting year is putting it mildly. As the year draws to its end, the tensions between national security and individual privacy rights have yet again been thrown into stark relief.

Over in the US, amendments to Rule 41, which sets out US federal search and seizure rules relating to criminal proceedings, now give US judges the ability to hack into any device anywhere in the in the world. Here in the UK the Investigatory Powers Bill has just received Royal Assent. The bill gives our government unprecedented access to stored digital data. Neither governments are unique. Governments across the world have laws in place that permit access to digital data.

Safe Harbor, the seemingly unimpeachable data transfer agreement between the EU and the US, was overturned in 2015 due to the efforts of the privacy rights movement to ensure the issue of US indiscriminate mass surveillance of EU personal data had its day in court. Data Protection Law in the UK and Europe is on their side. When the General Data Protection Regulation (GDPR) becomes law in 2018, the privacy rights movement will have an even stronger regulatory backing.

At the same time, we live in a world where cyber-crime is increasing at a frightening rate, where terrorists are groomed, recruited and instructed online. Whilst we expect our governments to respect our privacy rights, we also expect our governments to keep us safe and secure, whether that is in the virtual or physical world. Do we (to coin the now infamous Brexit phrase) want to have our cake and eat it?

The answer is yes - why shouldn’t we? One of the biggest hurdles in achieving this is that we live in a regulatory world that cannot keep up with the pace of technology. New regulation takes years to enact. In comparison digital is moving at the speed of light. Current regulation simply isn’t fit for purpose for a digital world, which by its nature can’t be defined by geographical or jurisdictional boundaries.

Privacy Shield, the replacement for Safe Harbor, makes no legal guarantee that mass, indiscriminate surveillance will not occur. Privacy activists already have it firmly in their sights. The Article 29 Working Party has publicly expressed its concern, and will review the agreement next year. The Rule 41 amendments will increase both parties’ concerns, and also cast further doubt on the ability of US cloud providers to keep their customer data safe from US interception, even if held off-shore from the US.

Where does all of this leave the enterprise when choosing a cloud service provider? Most digital enterprises will be controlling or processing the personal data of hundreds, thousands, even millions of individuals. They won’t all be privacy rights activists, but in a world where citizens have a growing awareness of the value and importance of their personal data, there is a scenario where a customer may simply refuse to consent to an enterprise handing their personal data if they thought there was a risk that the data would be exposed to mass surveillance or interception.

The incoming Trump regime adds frisson to this scenario. It has many unknowns in terms of digital policy (other than clear support of mass surveillance and digital “back-doors”) and it may yet force all of us to re-examine our attitudes to data in the cloud. The swinging fines that GDPR will mete out will also motivate enterprises to reassess the risks associated with data breaches, however these occur.

Until the world finds a solution to these problems, UK enterprises may be well advised to keep data protected from the risk of foreign interception, not just by keeping data within the UK, but also by ensuring their cloud provider is a UK company with no vulnerability to foreign legislation and interception. That way, we can have our cake and eat it.

Author: Nicky Stewart