KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hours ago the EU Court ruled that the Privacy Shield called EU-US Data Protection Agreement is invalid, while it considers Standard Contractual Causes to be valid. Also, intersting in this context is the US Cloud Act. This may be of some impact to existing and future transcontinental relationships and the usage of US-based services within the EU. In this interview, Annie Bailey and Mike Small will discuss these new developments and implications.
Hours ago the EU Court ruled that the Privacy Shield called EU-US Data Protection Agreement is invalid, while it considers Standard Contractual Causes to be valid. Also, intersting in this context is the US Cloud Act. This may be of some impact to existing and future transcontinental relationships and the usage of US-based services within the EU. In this interview, Annie Bailey and Mike Small will discuss these new developments and implications.
So I'd like to invite Mike Small with us. Hello, welcome.
Hello, Annie. Thank you for inviting me.
Well, thanks for showing up. We appreciate it. So I really appreciate you being willing to be here and share some of your thoughts on the fly. And so let's start at the beginning and give some background to this. So could you describe what is this us privacy shield. Okay.
Well, I think I need to start this by prefacing what I say with the comment that we are not a law, a legal firm and that whatever I say, and whatever is said here is not to be taken as legal advice. However, we obviously monitor this area and this is an important area and it's important because data is valuable. And because data is valuable, just like physical items, there are regulations that allow free trade in data. And ultimately this is what the us privacy shield is really all about.
It's about an agreement between the us and Europe, which both have different laws and a different perspective on the privacy of personal data, which allows both the us and the Europeans to cooperate and to transfer data to everybody's mutual benefit.
And the us privacy shield is effectively something which is on the us side, which was a way in which organizations could say that if they complied with that privacy shield, that the data that the personal data that they were holding about your residents in Europe, which was subject to GDPR, would in fact be treated in a way which was fairly and legitimate on the GDPR. So do you think you could say briefly what types of data does this cover? Is it just PII data? Is there anything else that we should be aware of?
Oh, okay. So, so PII is an Americanism personally identifiable information.
In fact, that is not the definition in Europe. The definition in Europe is personal data. And so it covers, and what it is intended to cover is Europe's definition of what is personal data. And that is quite wide ranging in its coverage. And it extends from as, as simpler thing as the IP address of the computer, which I'm connecting through to you to things like my intimate health data, my political views and, and so on. So it is really anything that is under GDPR definition as meaning personal data. So then let's move on to the ruling today.
What was the situation and, and what was the outcome? Oh, okay. So this is, this is a long story that this involves a gentleman from Austria called Shrem. And he decided in a few years ago, that the way in which Facebook was transferring his Facebook data from the Facebook service in Ireland to the Facebook service in the us using what was the previous thing, which was called safe Harbor, the previous agreement, which was called safe Harbor breached the European privacy legislation.
And anyway, so this led to an agreement which was to supple to supplant the safe Harbor called this us privacy shield. And so when that came about, the Mr. Shrem took the case up again, that, and so the case was called Shrem two now.
So the effectively the ruling of, of this concerns whether or not data, which is processed in the us personal data, which is processed in the us, is processed with the same controls and within the same boundaries as it would be if it were held in the European jurisdiction and the European court of justice decided that, and that, that it was no longer the case that that was so, so effectively this, the, the simple result from that is to say that if an organization says that we are processing your personal data in the us under safe Harbor, because that guarantees, it, it, it corresponds to the European laws of GDPR.
The EU court of justice has just basically said, that's not true. That's not the case anymore. Yeah. Thank you. So then what does this effectively mean for organizations in general? Of course it will have different impacts for different industries, but if we can get an overview of what this means, Well, this is something of a, a challenge to organizations and, and there are challenges that different levels.
And if you dive a little bit deeper into the, into the judgment, the, the judgment really all surrounds the area of whether or not the us government can override contracts in a way which would allow, say, for example, the intelligence services or the FBI to demand a us company to hand over data that they are holding. And that, that is if you will, the knob of the matter.
Now, the, the stretch of that is, is a question of trust that, that clearly, that trust extends beyond just personal data, but specifically, and specifically the risk that this introduces to an organization is that if they are the data controller of personal data. So say I was running a, some kind of a system where you had to give me your personal data for me to provide you with a service.
And I was doing that using a cloud service that was delivered from the us by a us cloud service provider, then potentially this ruling says that I can no longer rely on the assurance from the cloud service provider, that since they are privacy shield compliant, that my data is being processed in that way. And so potentially I am now at risk that the local information commissioner in the, in the UK it's the ICO, or in, in, in Europe, there are governmental level commissioners could come and say, Mr.
Small, you are processing data unfairly because you are allowing it to be processed in, in that. And that is the immediate risk.
Now, the, the loss of trust that this implies extends beyond personal data and extends beyond just simply how these services are provided. Because if, if you cannot rely on a contract because of, of, of force measure from, from a government, then you've got deep trouble. Yeah. And so you touched a bit on some of the very large risks that organizations will face. Are there any others besides the question of the data and the question of cloud hosting?
Well, the, these are the, the essential things, because first of all, that there are several different layers that, that, that can be involved in this. So, so for example, if, if you are using infrastructure as a service, then say I was running my SQL database, shall we say, in, in one of the us cloud service providers, then I have control of that data. And so I can do things to mitigate that risk by encrypting it. And so I can say, well, irrespective of everything else, I have absolute control over the keys and so forth.
However, if I was using a customer relationship management program, one of the various things that allowed me to keep lists of all the data of all of my customers in one of these things, then this is software as a service. Then I'm entirely dependent upon how the provider holds that data. And so I, I really have little that I can do in, in the way of direct and technical mitigation. If in fact, I decided that I was going to put the design for my latest drug or the design for my latest widget or, or, or, or product in, into these services.
Then potentially this ruling sort of brings out the risk that the us government could not be trusted to demand from the holder of that, that data, my intellectual property. And that is, is really a very worrying thing. And this needs to be clarified, I think, at a governmental level as to the extent to which the us government feels that they can be trusted and how, what evidence they can produce to say that we should trust them. Yeah. So then looking again at the implications, what does this mean for organizations that use us owned or hosted cloud services?
Well, I think my advice to those, those organizations is, first of all, you need to urgently get in touch with your lawyers and get a proper legal opinion. And no, if, if you are a, a properly constituted large organization that is processing data, that is subject to GDPR in Europe, or in, in the UK subject to the 2018 data protection act, which is a mirror of, of GDPR in the UK, then you should have a data protection officer and your data protection officer should be on high alert.
Now, the next point part, port of call would be to your local information commissioner or data protection commissioner for the country or the federal state that, that you are in to look for advice on what you should be doing there. And thirdly, you, you need to talk to your cloud service providers to discover and, and determine what assurances they can give you as regard to this, but it is a very difficult problem. And in terms of the mitigations that you can do the technical mitigations that you can always do, one is you can try and write contracts.
And we've talked about the difficulties of contracts, where the risk is force measure, which is that the government overrides and demands that you do something. And the other obvious technical controls that you can take are, if you're going to put your data in there, then you should encrypt it and you should keep control of the keys. And that may or may not be easy.
But I, I think this is a really serious thing because it imply it, it may be that the target of this was the large social media companies, the Facebooks, the Twitter, and such like, but in fact, it, it, it kind of is, is going to spread out and involve the providers of customer relationship management, the, the providers of, of office productivity tools, the providers of database software. It, it potentially spreads across anything that is provided by and hosted in, and, and the hosting is run by us companies. Yeah.
So let's take a moment to consider just shortly what this means for those social media giants, the, the targets, the main targets of this ruling, but yeah. What could you foresee for them?
Well, I, I think that ultimately this comes down to a day of reckoning in that the, the, the, the social media giants have recognized the immense value that is available from personal data from collecting that personal data and from using that personal data. And really, if we, if, if we move forward, it would be a, a, a good thing. If there were a bigger balance struck between the value that the social media giants get from being able to process this data and the rewards that the people whose data they process get in re return. And I think it is correcting that balance.
That is really important. Thank you.
So, as a final thought, how, and in what ways can organizations find support concerning this ruling and moving forward? So I, I, I think repeat what I said earlier on your data protect, if you are inside the organization, your first place of call is your data protection officer to say, what should I do about this? And they should be talking to their attorneys or lawyers, or whatever you call them in your part of the world. And those lawyers ought to be discussing with the local information commissioners.
And ultimately this is going to have to come down to some kind of intergovernmental trade agreement to resolve this once. And for all, Thank you, Mike. We really appreciate your time and your patience to bring us up to date on what's happened and how we move forward from here. Thank you very much. Thank You very much for having me.
