Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Sam Curry
Sam Curry
Connect Directly
E-Mail vvv

EU-US Privacy Shield Dissolution: What Happens Next?

In a world that isn't private by design, security and liability implications for US-based cloud companies are huge.

When the European Court of Justice (ECJ) last month struck down the EU's Privacy Shield regulation, it came as a big surprise for many of us in the world of cloud services, with potentially huge implications. Privacy Shield is the latest mechanism for allowing US companies to operate on, move, and otherwise use privacy data from European citizens and legal entities. It was the successor to Safe Harbor, which likewise suffered a similar fate in 2015, but so far hasn't generated the same degree of concern or public notice.

This is all in spite of five years in the interim where privacy and the importance of exchanging data in the digital world has become even more polarizing. So far, the security industry has not collectively, by and large, had a privacy-by-design philosophy in how to build applications and use and interact with data.

In a world that isn't private by design, the implications from a liability perspective are big. Customers of US-based cloud service providers are now potentially liable for all the things that happen with that data, with no shield at all. This means that lawyers are recalculating liability, discussions are reaching C-suites about implications, and auditors are sharpening their pencils. It's a small jump from these theoretical implications to fines and possible class-action lawsuits and torts.

Today, with more people working from home and commensurately using more online services and applications, the potential for liability is even higher. The stakes are bigger, yet the concern and outcry have yet to be realized by most security people, let alone business people. The fallback will be returning to the less well-known Standard Contract Clauses (SCCs) that provide legal terms that must exist contractually for European entities to do business and exchange privacy-related data with US companies. However, SCCs are not a mechanism in the sense that Safe Harbor and Privacy Shield were: They require certain qualities in technical capability like being able to have policies about classes of data, what they require, and how they can and can't be used. They also require business processes that verifiably state the intended use of data, deny the ability for forward use for other purposes, and provide clear services that elevate and respect EU citizens and their right to be accurately represented or even forgotten.

In the US, the tendency has been to legislate more access and special privilege for visibility into data. Perhaps this is because the US is concerned about security and safety and is a single, central government for over 300 million citizens. Contrast that with 27 nations and associates equal in the eyes of the European systems that require trust to move forward politically and economically and where privacy policy has emerged in a fundamentally different direction. The result is a different expectation on the role of government in the privacy of citizens. The battleground is now data sovereignty, and the stakes are high as the world suffers in COVID-induced global economic recession.

For those that see it and get ahead of it, the answer has to be privacy by design. In most cases, that means that heavy lifting and architectural changes have to be considered and undertaken. Companies that have large datasets have to build out features and consider the notion of data autonomy in which users receive a degree of respect and autonomy in determining what happens to privacy data related to them. This isn't easy by any stretch, but whatever follows Privacy Shield as an umbrella is a temporary reprieve.

The short-sighted perspective would be to return to the status quo of 2014 or 2019, but the smarter perspective will be to use the window of time that a new mechanism affords to address the gap in technological capability to support putting users first. Ownership of user data is a privilege, not a right, and getting this right is the surest way to avoid future liability.

More generally, it's a wake-up call to business models that treat users as the product rather than as customers. The philosophy in Europe that is likely to become the pattern of the future in the ongoing privacy and security debates says that if data is the new oil, then it should not be taken from the landowners. Privacy rights may still be emergent globally, but leaning in as champions of privacy is a great business opportunity for companies if they identify it now, and it's much better than being summoned to court for taking the opposite stance. It's time for a dialog with legal and with the business, to start the liability recalculation, and to become private by design not just in technology but in business practices.

Related Content:

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader, has published broadly and has been interviewed hundreds of times on security trends, threats and the impact of "cyber" on us all. He is a Visiting Fellow with the National Security Institute. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...