Content Copyright © 2016 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt
The demise of the old Safe Harbour agreement between the US and the UK, allowing the interchange of personal and sensitive data between EU and US datacentres has been causing rising panic as the implications sink in. Now, a January 31st deadline has bitten and some resolution of the issue is appearing; see here, for the official press release.
However, this seems rather unlikely to address the mistrust I see between the world in general and the USA, quite aside from data privacy. It seems to me that the fundamental issue here is that any non-US company is at least a little bit frightened of the possibility of state-sponsored industrial espionage if their sensitive data gets into US jurisdiction. Whether this threat is real or not is moot (perception is all); no one is quite sure what the US spooks are able to do with “our” data in the USA, if they play the terrorism card, regardless of any official statements.
Robert Bond, an IT Law specialist and Partner at Charles Russell Speechlys, poses the question of whether this is more of a privacy shield than a safe harbour here. He points out that “Safe Harbor did not necessarily provide a lawful data transfer mechanism for US companies not governed by the Department of Commerce (such as the Financial Sector)”, and wonders whether the Privacy Shield will do any better.
We shall see, but I think that this is, in essence, a fundamental governance issue for companies trading in the USA, and one that will run and run. If some American company tells you that the Privacy Shield will mean that there’ll soon be no problems sharing any of your data with US sites, I think that you should be very cautious, for now, at least. Of course, if you strongly encrypt anything that might end up in the USA, then you are a bit safer anyway, although the Americans you authorise to read it (if there are none, why is the data in the USA?) could still be an issue.
And, as I anticipated, the discussion isn’t over yet. Robert has just pointed me at this, which is the EU regulators asking for more detail on what Privacy Shield actually does; his further comments are here. Basically, the EU regulators are still insisting on four essential guarantees governing the activity of US spooks as part of any new US framework, and will be examining Privacy Shield accordingly. As I said, this will run and run….