When the European Court of Justice (ECJ) last month struck down the EU's Privacy Shield regulation, it came as a big surprise for many of us in the world of cloud services, with potentially huge implications. Privacy Shield is the latest mechanism for allowing US companies to operate on, move, and otherwise use privacy data from European citizens and legal entities. It was the successor to Safe Harbor, which likewise suffered a similar fate in 2015, but so far hasn't generated the same degree of concern or public notice.
This is all in spite of five years in the interim where privacy and the importance of exchanging data in the digital world has become even more polarizing. So far, the security industry has not collectively, by and large, had a privacy-by-design philosophy in how to build applications and use and interact with data.
In a world that isn't private by design, the implications from a liability perspective are big. Customers of US-based cloud service providers are now potentially liable for all the things that happen with that data, with no shield at all. This means that lawyers are recalculating liability, discussions are reaching C-suites about implications, and auditors are sharpening their pencils. It's a small jump from these theoretical implications to fines and possible class-action lawsuits and torts.
Today, with more people working from home and commensurately using more online services and applications, the potential for liability is even higher. The stakes are bigger, yet the concern and outcry have yet to be realized by most security people, let alone business people. The fallback will be returning to the less well-known Standard Contract Clauses (SCCs) that provide legal terms that must exist contractually for European entities to do business and exchange privacy-related data with US companies. However, SCCs are not a mechanism in the sense that Safe Harbor and Privacy Shield were: They require certain qualities in technical capability like being able to have policies about classes of data, what they require, and how they can and can't be used. They also require business processes that verifiably state the intended use of data, deny the ability for forward use for other purposes, and provide clear services that elevate and respect EU citizens and their right to be accurately represented or even forgotten.
For those that see it and get ahead of it, the answer has to be privacy by design. In most cases, that means that heavy lifting and architectural changes have to be considered and undertaken. Companies that have large datasets have to build out features and consider the notion of data autonomy in which users receive a degree of respect and autonomy in determining what happens to privacy data related to them. This isn't easy by any stretch, but whatever follows Privacy Shield as an umbrella is a temporary reprieve.
The short-sighted perspective would be to return to the status quo of 2014 or 2019, but the smarter perspective will be to use the window of time that a new mechanism affords to address the gap in technological capability to support putting users first. Ownership of user data is a privilege, not a right, and getting this right is the surest way to avoid future liability.
More generally, it's a wake-up call to business models that treat users as the product rather than as customers. The philosophy in Europe that is likely to become the pattern of the future in the ongoing privacy and security debates says that if data is the new oil, then it should not be taken from the landowners. Privacy rights may still be emergent globally, but leaning in as champions of privacy is a great business opportunity for companies if they identify it now, and it's much better than being summoned to court for taking the opposite stance. It's time for a dialog with legal and with the business, to start the liability recalculation, and to become private by design not just in technology but in business practices.