Earlier this year, the EU and the US, came to an agreement in relation to the storage and security of data, used by EU citizens, on servers within the US jurisdiction.
Previously, under what was called “Safe Harbour”, data that left the EU and resided on servers in the US was deemed to effectively be the property of the US government, so direct requests to US companies to release data e.g. within a crime investigation from the EU, could be directly blocked. The agreement did however require the US companies, storing EU data, to comply with the equivalent security and data safe guarding standards within the EU e.g. to behave in accordance with the same “rules of the game”. However, the only way to obtain EU citizen data, stored in the US was through government channels, in other words getting the US government to demand the release of its data from the US based company. Clearly, this had the associated red-tape time line consequences. The old mechanism was called the Mutual Legal Assistance Treaty (MLAT), which ultimately required a US judge to authorise the release of data.
The MLAT process took typically 10-months from initial diplomatic request, through to receipt of data.
One of the flaws in Safe Harbour was that it allowed companies to self-certify their compliance with the equivalent EU requirements. The fundamental problem being that it therefore allowed EU data to ultimately reside within the US, without the end user necessarily having to agree to that geographical storage. Furthermore, the rules of access and monitoring also fell within the rules of the US, so the US could request data, without having to inform the EU that it was effectively requesting EU data – due to it being stored within the US. Let me give you a problematic example of how this could be used:
If there was a local data sharing agreement between two companies in the US, that provided complimentary services into the EU, then sharing each-others data could provide them a competitive advantage against a similar company within the EU.
The EU-US Security Shield will provide end users e.g. members of the public a mechanism to potentially sue the US government, through the US courts for any misuse of their data. The US Department of Commerce will be responsible for policing the behaviours and compliance of these companies.
What about Cloud Storage
Cloud storage comes under the same rules. Indeed, Amazon Web Services is used by a growing number of large companies as the underpinning server/storage platform for the delivery of end user services. Consequently, they will be required to abide by the rules that their direct customers (some of the world’s biggest players) are having to abide by.
In fairness a number of the big players have already been building data centres in Europe, but in the meantime they have to guarantee the same level of compliance with EU standards, rather than being allowed to self-certify. The laws of physics dictate that it will be far cheaper in the long-run to hold data as close to its point of use as possible. These are multi-national companies and irrespective of inter-government agreements, they know that individuals (you and me) want to know our data is safe.
In reality, given the likely ongoing challenges to the use of personal data, coupled with the complexity of attempting to entwine country specific, there will no doubt be further challenges ahead.