These are interesting times for U.S. companies doing business online with the rest of the world. New privacy laws in Europe, a new agreement between the United States and the European Union to replace the old Safe Harbor for shared data, the exit of Britain from the E.U., and unsettled legal questions in this country about how far the government can go in gathering digital data are complicating the quest for digital privacy.
One thing that appears to be clear is that companies joining the global community will have to come to grips with European notions of privacy that have been foreign to U.S. businesses.
“There is a sense of a European wind blowing your way,” said Mark Skilton, professor of practice in the Information Systems & Management Groups of the Warwick Business School in the U.K.
Differing points of view
The United States and Europe hold differing views on privacy and the rights of (and to) data. In this country, personal information pretty much belongs to whomever holds it, and they are able to do what they want with it. Online companies are supposed to have privacy policies, but the policies do not have to promise privacy and most are so opaque that they are never read.
Europe generally takes the view that personal information belongs to the person, who has the final say in how it is used. That view has been codified in the E.U.’s General Data Protection Regulation (GDPR), approved this spring and scheduled to go into effect in May 2018. The really interesting thing about the GDPR is that it applies to any organization holding or processing personal data of E.U. residents. And the penalties are not to be sneezed at. They range from 10 million euros or 2 percent of the company’s worldwide annual turnover for some violations to 20 million euros or 4 percent of worldwide turnover for more serious violations.
Privacy Shield
That all starts in a little less than two years. In the meantime, companies wanting to stay in the E.U.’s good graces will have to get behind the Privacy Shield.
The Privacy Shield is a framework agreed upon (barely) by the United States and the E.U. to enable information sharing by companies on both sides of the Atlantic under the current European privacy regulation, which dates to 1998. The shield went into effect this year, replacing the old Safe Harbor, which in 2015 the E.U. found did not provide adequate protection. There still are concerns about wholesale information gathering by U.S. spy agencies, but for the next 20 months companies can self-certify their compliance with the framework to meet E.U. privacy requirements.
At the moment, there is something of a vacuum in U.S.-E.U. privacy requirements. Of more than 4,000 companies that were taking part in the Safe Harbor framework when it was shot down last year, only 141 companies have joined the Privacy Shield since it opened for self-certification in August. Microsoft is there, but notably absent are some big companies such as Facebook and Google.
Crossing the pond
And speaking of Microsoft, it just opened three new data centers in the U.K. to support its Azure and Office 365 cloud services. By making it possible to host U.K. data locally in London and Durham, England, and Cardiff in Wales, the company eliminates Privacy Shield concerns by operating in (for now, at any rate) the E.U. The move also opens up markets such as the Ministry of Defense, which require their data to be held within the country, Prof. Skilton said.
But questions still loom. What happens when Brexit kicks in? These data centers will then have to operate under whatever trade agreements the U.K. strikes with Europe. And a potentially bigger question has yet to be resolved here in the United States.
Microsoft currently is battling a 2013 warrant to turn over e-mails and other data held on servers in Ireland and wanted in a narcotics investigation. Microsoft claims the warrant is invalid for data held overseas, and a federal appeals court agreed with the company in July. The U.S. has not said whether it will take the case to the Supreme Court. If it does, an adverse ruling could make the company’s overseas cloud services a lot less attractive for foreign users.
So the next couple of years should be interesting for companies that want to have access to business and data from outside our borders. And by interesting, I mean nerve wracking.