Privacy Shield invalidation

On the inadequacy of US Cloud providers

Published on: 30/07/2020
News

As many expected, the 16/07/2020 the European Court of Justice has invalidated the Privacy Shield Agreement ending a legal battle started 7 years ago by the then law student Max Schrems.

This victory for citizens’ privacy confirms once again that there have been no improvements, since the invalidation of Safe Harbor in 2015, in the way EU citizens data is being abused and, now we know for sure, illegally processed not only by US corporations but also by US Government agencies.

In a previous article evidence has been presented to show that it has been clear for a long time that Privacy Shield would have been invalidated as the underlying issues remained and they got even worse with the lack of action on the terms agreed with the EU and by the enactment of the CLOUD Act in March 2018.

What this means for EU individuals, businesses and institutions

For many experts in the field this is just a repeat of the Safe Harbor invalidation.

There are the usual attempts of minimising the issue, attempts to legitimise the use of Standard Contract Clauses and overall to ignore the fact that since the 16/07/2020 it has been confirmed that for many years data transfers and processing by US entities has been done illegally.

We have to keep in mind that we are not looking at a new law changing the rules, this is a judgment confirming that the law, or Agreement, was wrong in the first place.

In practice this could open the floodgates for compensation, under Article 340 of the TFEU, as the European Commission made the same mistake twice and this time Governments and organisations may finally have to change suppliers due to the fact that this time they risk heavy fines for not being compliant with GDPR.

In short, this is the current situation:

  • Data Controllers cannot use Joint Controllers/Processors/Sub-Processors, located in the US or controlled by a US entity, when the invalidated Privacy Shield Agreement is the legal basis used to transfer data to the US
     
  • Data Controllers cannot use Joint Controllers/Processors/Sub-Processors, located in the US or controlled by a US entity, when Standard Contractual Clauses are the basis used to transfer data to the US

There may be some US/EU Joint Controllers/Processors/Sub-Processors that can be used but the local Controller (exporter) will need to verify on a case by case basis if they are subjected to US FISA Section 702 and/or Executive Order 12.333.

NOYB website, the non-for-profit organisation setup by Max Schrems to fight the case, made a set of forms available which can be used by anyone to verify if you can legally use those providers or not.

For all of us it means that we should stop using many services and applications unless they are covered by Article 49 of GDPR, in simple terms we can book a flight, a hotel or a contract with US entities as we, as individuals, agree to a “necessary” transfer and we should all be perfectly aware that our personal data will be potentially shared with hundreds of other businesses and US Government agencies. This is your choice and, apart from actively supporting business models where your data is being used and aggregated to other data feeds to be monetised to the maximum extent possible, it won’t directly affect other people.

Some examples of when you, as an individual, a business owner, a civil servant or a minister are affecting other peoples right to Privacy and you perform actions that are not compliant with GDPR:

  • when you install apps like Facebook, WhatsApp, LinkedIn, Instagram, etc… which look up your contact list to match other potential users. That sometimes transfers personal data of family, friends and colleagues without their consent to organisations that should not receive the data
     
  • when you use Microsoft Office, Microsoft 365 or Google Docs or similar products/services. If you write documents, edit spreadsheets or create presentations containing personal data you will share that data in readable format and through connected services without consent and legal rights. This unfortunately happens every day in most public and private sector organisations where even the users of those services are unaware they are processing personal data illegally
     
  • when your web sites use services like Google Analytics, Cloudflare, Amazon AWS, Facebook, etc… as they collect and transfer personal data.

Some would like to point out that SCCs (Standard Contractual Clauses), which set various contractual obligation including compliance with GDPR, have not been outright invalidated (Recital 149 C-311/18). While this is true, it’s also clear that US data importers and their EU subsidiaries cannot state in their SCCs that they are GDPR compliant as they are subjected to mass surveillance programs, which provide no opportunity for consent or remediation to EU citizens (Recital 192 C-311/18), so the local DPA are required to suspend or end the transfer of personal data (Recital 135 C-311/18).

Controllers could, if they wish, continue to use US Joint Controllers/Processors/Sub-Processors but they must notify their local DPA and obtain explicit and informed consent from the users of the software or service but also from the data subjects whose data may be transferred and processed.

Users and data subjects should be asked, to obtain informed consent, it they agree to have their data being subjected to US mass surveillance programs without due legal process and available remedies.

Controllers should also take into consideration that any data subject could file a complaint to the local DPA which, being fully aware of the reasons why Privacy Shield has been invalidated, should act and stop the data transfers and processing without undue delays (Recital 111 to 113 – 146 C-311/18).

The European Data Processor Board published a FAQ document which provides further and official confirmations in regards to the legal inadequacy of many services from US Cloud providers used in the EU.

It’s not just about the law, it’s also about ethics and business models

Even for non experts it should be clear by now that European citizens right to Privacy hasn’t been upheld, not just by the US Government and US Corporations but, unfortunately, also by European institutions, Governments and most European decision makers.

While fully aware that Privacy Shield was not providing more reassurances than the invalidated Safe Harbor Agreement, governments led by example by using platforms that were known to not respect citizens Privacy and by doing so they have been endorsing those platforms leading the rest of society to ignore the issues and perpetuate monopolies and business models detrimental to society itself.

There are many social and economical issues in relying only on a handful of corporation for our critical Digital infrastructures but at least a couple have been clearly seen during the COVID crisis when the only response available to governments has been to promote even more those platforms and that due to the lack of trust in governments Digital choices only a minority of the population accepted to install contact tracing apps which, in a very short period of time, have also shown to indirectly enable US corporations to track users without their consent and knowledge.

While it seems like the population silently accepts using platforms that harvest and monetise each movement, word and click of each one of us, the discontent is shown when the opportunity is given.

Unfortunately most people seem to think that they have no options as none are given when using the most common platforms, while others think that there are no serious issues as Government and institutions keep promoting platforms and brands that have based their business model on what some call “surveillance capitalism”.

Facebook, Instagram, Google, YouTube are platforms that do not even hide the fact that they base their businesses on advertising and the collection of as much data as they can in explicit and covert ways. Unfortunately even government institutions keep using those platforms to track users on official web sites, promote their content and even edit, store and exchange documents and emails that contain personal data, making it difficult for most to escape surveillance programs, being it run by governments or businesses.

Also a monopolist in the desktop and office suite markets like Microsoft has been caught covertly tracking users and transferring data to the US through “telemetry” features and more directly with features built into their Windows and Office Suites. At present the only exhaustive DPIA (Data Protection Impact Assessment) available have been performed on behalf of the Dutch Ministry of Justice on Microsoft Office and Office 365 and the results confirm that Microsoft products and the contracts they have been forcing onto Data Controllers are not GDPR compliant.

We can read in the latest report one of many examples of how, not just Microsoft but in general many of the companies supplying Cloud based software and services, they trick users into giving away their data: “Microsoft has an economic interest in certain default settings. Microsoft has claimed that it would suffer economic harm if the default setting for the use of Connected Experiences was by default switched to “off”.”.

That puts in doubt many other statements and reassurances given by Microsoft as their economic interests, in this case about $7B just with that trick, seem to come before the respect of their own customers.

Confirmation of the issues with the use of Microsoft products and the unethical, bordering to illegal, business practices conducted by the monopolist come also from the investigation made by EDPS which has been probably instigated by the worrying findings mentioned in the above DPIAs where the lack of compliance with GDPR of Microsoft contracts and products is made quite clear.

EDPS states: “These findings and recommendations from the investigation are likely to be of wider interest than just of the EU institutions: they may be of particular interest to all public authorities in EU/EEA Member States.

We could implicitly assume that those recommendations should be implemented also by all sort of organisations including private businesses that process personal data.

It should be made clear that in this article Microsoft hasn’t been singled out as the worse offender even if, having their Operative Systems and Office Suite on 90% of PCs and laptops, is a vendor that creates major concern. Many other organisations are doing the same, or worse, but at present, after years of complaints by Privacy specialists and the effort of just a few institutions, we have clear and detailed evidence about this major corporation.

Having probably recognised the issues presented by many other IT and Cloud providers and the lack of exhaustive DPIA performed by EU Institutions, EDPS started a round of consultations to help improve the quality of those DPIAs and we can hope that more in depth analysis, comparable to those made for Microsoft by the Dutch Ministry of Justice, will be made in relation to other vendors.

A post Privacy Shield Europe

At present there are no quick fixes to the invalidation of Privacy Shield apart from:

  • Tell Cloud providers that they must setup arms-length commercial entities and infrastructures in EU that do not transfer data to the US.
     
  • Ask the US Government kindly to stop mass surveillance campaigns and US corporations to be more ethical
     
  • Ignore all the evidence and announce a Privacy Shield 2 reassuring us than no law student will be able to get it invalidated after a few years of courts battles
     
  • Force all EU citizens to give up their fundamental rights and actively participate in the new surveillance capitalism which mostly enriches the off-shore accounts of some corporations

While some would be satisfied with the last option it is likely that most citizens would prefer to look at more ethical alternatives.

It might be time for institutions and organisations to reconsider their Digital supply chain and invest in projects that allow the EU to become more reliant in resources and platforms developed and delivered by the internal markets.

Many EU member states are already working to achieve Digital Sovereignty by adopting and investing in Open Source software and local Cloud services to provide adequate protection of citizens Privacy.

There are many examples available, eg. the French National Police using Linux instead of Windows, the Italian Ministry of Defence migrating more than 100K from MS Office to LibreOffice or the French Government replacing WhatsApp with Riot and Matrix and many more.

Another interesting project being developed is Gaia-X which should provide Europe with a federated Sovereign Cloud providing additional levels of protection to citizens data. It’s not ready yet but, while committees agree on some technical specifications, governments could easily start implementing their own infrastructures using the same Open Source components used for the base platform as the Dutch Government is currently doing.

In regards to the services we are using every day like email, file sharing, office suites, web sites, etc…, which some consider “commodity services”, they should be seen as critical elements of our Digital infrastructures as most of our personal data is flowing through those platforms and we should keep that data flow in the EU. Europe is the home of a large number of companies and non for profit organisations offering a vast number of platforms and software, often Open Source, that can satisfy most needs and allow for collaborative improvements if some missing features are needed.

We can all take CERN, where the World Wide Web has been “invented”, as an example of innovation and implementation of an European Digital Sovereignty. CERN has been involved in the development of Open Source for decades and more recently implemented the project MALT (Microsoft Alternative) to remove proprietary software and replace it with Open Source platforms to have full sovereignty on their scientific tools, their data and the software we all need for day to day operations.

Open Source First Policy

Many governments around the world are rediscovering or implementing some form of Open Source policies. Some governments have implemented laws and regulations stating that existing or newly developed Open Source software should be evaluated before proprietary software, but most of the time rules were overlooked and since a few years ago most of the attention has been focused on Cloud platforms.

The European Commission setup the Open Source Observatory (OSOR), which collects some information about EU member states initiatives and policies, and it seems like some countries are investing in some Open Source projects but most do not challenge the position of the major monopolists which keep them locked-in with their software, and now their Cloud offerings.

What seems to be missing in many cases are information campaigns that help the public understand why governments, local institutions and the private sectors should invest in Open Source software instead of going for the convenience of renting applications and Cloud in perpetuity from third parties.

The general public should be actively informed by the governments about what Open Source software is, about the fact that is an asset for our society which creates local skilled jobs, drives innovation and keeps economical resources within the territory instead of finding their way off-shore like their data.

Other information campaigns should be aimed also at procurement offices which for the convenience of using standardised procedures keep ordering the same products, that sometimes seems to be required by the IT support company, often a reseller of those same products, to which the services have been outsourced as a result of recommendations from a consulting company which has partnerships and interests in promoting those products. These are chains that need to be broken as are part of the mechanisms which are holding us back from being able to autonomously innovate and be in control of our infrastructures and data.

Open Source software is what allows “the Internet” to work and is what Cloud providers use to increase their efficiency and flexibility. European public and private sectors can deliver modern Digital infrastructures capable of being flexible and competitive if the political will is there and if, as it’s being done in the US, the governments invest more in local players allowing them to grow, compete and innovate.

There is practically no valid reason not to invest in critical Digital infrastructures that we can control as all the components and skills we need are readily available and can make the processing of citizens data even more cost effective than using non GDPR compliant software and Cloud services.

Shared on