Just about year after the fall of the Safe Harbor agreement, the European Commission agreed upon a new framework, EU-US Privacy Shield, for data-transfers between the EU and the US this past August and was officially put into place as of February 1st 2017 with the declaration of the EU countries which are protected. Swiss data will be protected as of April 12th under a similar framework, the“Swiss Privacy Shield”.
But the agreement and your data is already threatened from a couple of angles!
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.
After months of debate the US and EU came to terms that they could all agree would protect data security and allow for safe data transfers.
The first threat to this agreement came from a recently signed executive order, of which Section 14 states:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
So, what does this mean for the EU-US Privacy Shield?
Currently it’s still intact, but if you are in a country outside of the European Union or Switzerland, it means that your data is again at risk and can be freely used by agencies in the US. And nobody can really say what the next executive order will bring or deny in regards to essential data protection rights.
Recent ruling against Google and Microsoft case still in the court system
In early February “a U.S. judge has ordered Google to hand over emails stored outside the country in order to comply with an FBI search warrant.” The main argument was that Google can’t tell exactly where the data is, which means that it is considered to be in the United States and, therefore, needs to be handed over.
This again shows how essential it is to know where your data is at all times!
However, Microsoft knows that the data is in Ireland, so the ruling was upheld by a very close 4-4 vote. It is expected that the US government will make a move to bring the case to the supreme court where it can be reconsidered. Alternatively, there are rumors that the administration will just change the respective law and clarify that US companies are forced to hand over data even if they know it is located elsewhere.
The third risk continues to be a case in Ireland where, now famous, Max Schrems – who brought the original safe harbor agreement down – is continuing to argue against Facebook. This case will probably move on to the European court system and is a pending threat to both the Privacy Shield, as well as the standard contractual clauses (SCCs), which are broadly used for specific data transfers and replaced safe harbor terms while people were waiting for privacy shield.
New GDPR still implemented in early 2018
On top of this, the preparations for the new General Data Protection Regulation continues and will be finished in early 2018. Remember, you can be fined up to 4% of your annual revenue under those new regulations.
Know where your data is!
With a lot of threats pending and interpretation about what national security is and under which circumstances it allows access to your data always being on the line, we continue to recommend that you do know exactly where your data is located at all times.
Federate the Cloud
With ownCloud, our users never need to worry about data-transfer restrictions. ownCloud can connect federated servers in multiple geographic locations into a single user experience for seamless collaboration. Federated File Sharing provides frictionless file sharing across multiple ownCloud servers, while maintaining the security, control and attributes of the original server as set up by IT – and leaving the master file copy on the originating ownCloud server.
OpenCloudMesh is a joint international initiative under the umbrella of the GÉANT Association that is built on ownCloud’s open Federated Cloud Sharing API taking Universal File Access beyond the borders of individual Clouds and into a globally interconnected mesh of research clouds — without sacrificing any of the advantages in privacy, control and security an on-premises cloud provides. OpenCloudMesh provides a common file access layer across an organization and across globally interconnected organizations, whether the data resides on internal servers, on object storage, in applications like SharePoint or Dropbox, other ownClouds, or even external cloud systems such as Dropbox and Google (syncing them to desktops or mobile apps, making them available offline).
So, while current and future executive orders, new rulings, or a simple redefinition of the meaning of national security may threaten upwards of 1,500 companies who have already signed up for the EU-US Privacy Shield framework, with ownCloud you remain in control of your data at all times from your own server, anywhere in the world!