EU-US Privacy Shield Dissolution: What Happens Next?

In a world that isn't private by design, security and liability implications for US-based cloud companies are huge.

Sam Curry, CSO, Cybereason

August 11, 2020

4 Min Read

When the European Court of Justice (ECJ) last month struck down the EU's Privacy Shield regulation, it came as a big surprise for many of us in the world of cloud services, with potentially huge implications. Privacy Shield is the latest mechanism for allowing US companies to operate on, move, and otherwise use privacy data from European citizens and legal entities. It was the successor to Safe Harbor, which likewise suffered a similar fate in 2015, but so far hasn't generated the same degree of concern or public notice.

This is all in spite of five years in the interim where privacy and the importance of exchanging data in the digital world has become even more polarizing. So far, the security industry has not collectively, by and large, had a privacy-by-design philosophy in how to build applications and use and interact with data.

In a world that isn't private by design, the implications from a liability perspective are big. Customers of US-based cloud service providers are now potentially liable for all the things that happen with that data, with no shield at all. This means that lawyers are recalculating liability, discussions are reaching C-suites about implications, and auditors are sharpening their pencils. It's a small jump from these theoretical implications to fines and possible class-action lawsuits and torts.

Today, with more people working from home and commensurately using more online services and applications, the potential for liability is even higher. The stakes are bigger, yet the concern and outcry have yet to be realized by most security people, let alone business people. The fallback will be returning to the less well-known Standard Contract Clauses (SCCs) that provide legal terms that must exist contractually for European entities to do business and exchange privacy-related data with US companies. However, SCCs are not a mechanism in the sense that Safe Harbor and Privacy Shield were: They require certain qualities in technical capability like being able to have policies about classes of data, what they require, and how they can and can't be used. They also require business processes that verifiably state the intended use of data, deny the ability for forward use for other purposes, and provide clear services that elevate and respect EU citizens and their right to be accurately represented or even forgotten.

In the US, the tendency has been to legislate more access and special privilege for visibility into data. Perhaps this is because the US is concerned about security and safety and is a single, central government for over 300 million citizens. Contrast that with 27 nations and associates equal in the eyes of the European systems that require trust to move forward politically and economically and where privacy policy has emerged in a fundamentally different direction. The result is a different expectation on the role of government in the privacy of citizens. The battleground is now data sovereignty, and the stakes are high as the world suffers in COVID-induced global economic recession.

For those that see it and get ahead of it, the answer has to be privacy by design. In most cases, that means that heavy lifting and architectural changes have to be considered and undertaken. Companies that have large datasets have to build out features and consider the notion of data autonomy in which users receive a degree of respect and autonomy in determining what happens to privacy data related to them. This isn't easy by any stretch, but whatever follows Privacy Shield as an umbrella is a temporary reprieve.

The short-sighted perspective would be to return to the status quo of 2014 or 2019, but the smarter perspective will be to use the window of time that a new mechanism affords to address the gap in technological capability to support putting users first. Ownership of user data is a privilege, not a right, and getting this right is the surest way to avoid future liability.

More generally, it's a wake-up call to business models that treat users as the product rather than as customers. The philosophy in Europe that is likely to become the pattern of the future in the ongoing privacy and security debates says that if data is the new oil, then it should not be taken from the landowners. Privacy rights may still be emergent globally, but leaning in as champions of privacy is a great business opportunity for companies if they identify it now, and it's much better than being summoned to court for taking the opposite stance. It's time for a dialog with legal and with the business, to start the liability recalculation, and to become private by design not just in technology but in business practices.

Related Content:

About the Author(s)

Sam Curry

CSO, Cybereason

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader, has published broadly and has been interviewed hundreds of times on security trends, threats and the impact of "cyber" on us all. He is a Visiting Fellow with the National Security Institute. Previously, Sam was CTO & CISO for Arbor Networks (NetScout) and was CSO & SVP R&D at Microstrategy, in addition to senior, security roles at McAfee and CA. He spent seven years at RSA (the Security Division of EMC, where he was a distinguished engineer and Fellow nominee) as CSO, Chief Technologist and SVP of Product. Sam also has 24 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, SSH Communications and Sequitur Labs, in addition to a number of advisor-ships across the security spectrum.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights