Clouds reflected in the Parliament building in Strasbourg - © European Union 2013 - European Parliament. CC
US Cloud platforms potentially incompatible with GDPR
Latest reports confirm that the use of Cloud platforms owned by US corporations may lead to non compliance with GDPR and could be detrimental in the long run for EU organisations.
It’s common knowledge that Cloud platforms come with benefits but also with known risks. Compliance with various regulations, being an ever changing landscape, is generally not seen as a major risk as it's built into the sometimes tedious but necessary tasks.
In some cases your organisation's compliance with directives, regulations and international agreements is dependent on third parties and you have to make sure those third parties follow the same rules.
Over the last year it has become more and more clear that non-EU Cloud services, including those from large US providers like Microsoft, Dropbox, Google, etc..., are not compliant with EU privacy regulations like the GDPR. The Dutch government recently concluded this and the Swedish National Procurement Service published, just last month, a pre-study report about Cloud based office platforms.
In short: if your organisation uses Cloud services controlled by US companies to store European citizens Personally Identifiable Information (PII) your organisation may not be GDPR compliant any more as those services are in breach of Articles 44 - 50 in many ways.
The risk for your organisation is to be sued by any EU citizen that hasn’t provided consent for their data to be transferred and naturally by the local Data Protection Authority for non compliance.
Since the publication of Sweden's pre-study the situation worsened as The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency of the US Government, published a set of statements made by the members of the board during the forum titled “Countering Terrorism While Protecting Privacy and Civil Liberties: Where Do We Stand in 2019?”.
The PCLOB could be of great help to Europe, and naturally to US citizens, as it’s tasked with reviewing if the Intelligence Community (NSA, CIA, FBI, etc…) protects the country while also protecting the privacy and civil liberties of US and non-US citizens.
Unfortunately, reading the Board’s statements, it appears that PCLOB hasn’t been able to operate to its full capacity and exercise its oversight duties as for 20 months the board had no quorum, it has insufficient funding and it doesn’t receive the information its entitled to from the Intelligence Community which would allow it to perform its duties.
The statements confirm also that several intelligence operations affecting EU citizens have been ongoing:
“The permitted purpose of surveillance under E.O. 12333 is quite broad, encompassing all activities and intentions of non-U.S. persons. This broad authority has resulted in broad surveillance programs, including ‘Co-Traveler’, through which the U.S. captured billions of location updates daily from mobile phones around the world, and ‘Muscular’, through which the NSA intercepted all data transmitted between certain Google and Yahoo! data centers outside the U.S.”
This may well be connected also with the “Upstream” program managed by the NSA which “Collect target’s communications as they cross the backbone of the internet with the compelled assistance of companies that maintain those networks” as described in an infographic related to Section 702 issued by the DNI (Office of the Director of National Intelligence) which confirms that the US Government is performing bulk interception directly from the main connectivity providers and potentially from dedicated links operated by Google, Microsoft, Facebook, etc.
In another section the collection from third party “data brokers”, that could be anything from credit rating agencies to web sites analytics, used for “big data” analysis has drawn their attention:
“We are particularly concerned with the possible disclosure by data brokers to governmental entities of metadata which, if sought by the government directly from a communications service provider, could not be disclosed to governmental entities without legal process.”
A statement from another member of the board confirms the “emerging technologies likely to reduce privacy”, on which his organisation is working, also include:
“De-anonymization techniques that can identify individuals by efficiently combining increasing large volumes of digital data”
Then we have other confirmations that is currently impossible even for a US agency to determine the legality of foreign subjects’ bulk interception:
“The Board has been able to operate with relative transparency thus far primarily due to the official acknowledgements the government has made in response to the Snowden revelations. But those disclosures were an aberration. Now, nearly six years removed from the Snowden revelations, we are receiving very little new information. The government has declassified relatively little, for example, about the surveillance it carries out abroad under Executive Order 12,333, and even less about the ways in which it is exploiting new surveillance technologies.”
and in the specifics of foreign intelligence:
“The extent of the government’s use of its surveillance authorities to target journalists, dissidents, and others not engaged in wrongdoing is not known. Nor is it publicly known whether surveillance of such individuals represents a significant portion of the government’s foreign intelligence surveillance efforts.”
Those statements go in direct contrast with those made by the European Data Protection Board (EDPB) in their “EU - U.S. Privacy Shield - Second Annual Joint Review” published in January 2019 which says:
“These publications and declassifications continue to demonstrate the efforts by the U.S. government and of the U.S. legislator to become more transparent about the use of surveillance powers.“
Probably the EDPB is being overly diplomatically correct as the PCLOB published only one official report in October 2018, the “Presidential Policy Directive 28 (PPD-28) Report”, after being unable to do so for nearly 2 years in which despite a large number of redaction it was already clear that the PCLOB could not provide any reassurance regarding EU citizens’ data.
In many other parts of their report the EDPB has been a bit more direct in expressing its concerns regarding issues that haven’t been addressed since the Privacy Shield has been signed and new issues:
“The EDPB also regrets that in the context of the re-authorization of section 702 FISA last year, the US legislator did not take the opportunity to introduce additional safeguards“
“As a conclusion, the EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, and it can thus not state that the Ombudsperson can be considered an ‘effective remedy before a tribunal’ in the meaning of Art. 47 of the Charter of Fundamental Rights.”
To be noted that a new Ombudsperson has been nominated in January 2019 but two months later there have been no communication in regards to the actual appointment.
This is just a brief summary of the many issues that, from a legal/regulatory point of view, can make the transfer of EU citizens data non compliant with GDPR and Privacy Shield.
Note that, even if they haven’t been mentioned in the document, Standard Contractual Clauses often used by large Cloud providers to impose their own terms and limit their liabilities do not shield the Data Controllers from their own liabilities deriving from their non-compliance with GDPR.
Adding to that is the increasing evidence of deceptive practices by large tech companies such as constant tracking of personal devices, indexing and analysis of documents uploaded to Cloud services, implementation of spell checkers that constantly analyse keystrokes from remote locations, etc... should make any DPO and CISO wary of using those services if PII, Intellectual Property information or trade secrets are processed using those tools.
If compliance with existing regulation isn’t a sufficient reason to reduce European dependence on services controlled (and intercepted by) third countries then a valid risk assessment of those platforms should bring up many other issues. At present there should be no need to worry about a repeat of the Echelon Affair but as Governments, relationships and policies change Europe should be prepared for the eventuality that large corporations, influenced by their Government, and intercontinental links may become unsafe to use for sensitive information.
Regardless of the risk of industrial and economic espionage the report prepared by the Swedish National Procurement Services identifies many issues related to the lack of control over data and technologies that could cause big compliance and expenditure issues over the medium and long term.
Another major issue covered is that EU citizens generally don’t get the opportunity of explicitly confirming or denying consent in regards to processing of their PII through processors or joint controllers, as stated in the Data Processing Impact Assessment (DPIA) carried out on behalf of the Dutch Ministry of Security and Justice, that may transfer data out of the EU and/or be involved in/victims of bulk interception programs. Many private and public sector organisations simply implement third parties Cloud platforms without notifying data subjects about the changes so many are led to believe that their data is processed in a safe and compliant way and this may lead to additional legal risks once European citizens realise that not even their Government institutions are compliant with their own laws and regulations.
“At the moment there is too much power in the hands of a few mega tech companies and governments. We need to decentralise the internet, give more power to people over their digital lives. Engineers have a valid voice but they need to be part of a conversation with lawyers, ethicists, experts from the humanities. IPEN, our initiative, seeks to do this.”
A lot of work has been done in the past few years to prepare tools and policies that can allow Europe to gain data and technological sovereignty and a lot of effort has been put in by many European and international organisations to deliver, using Open Source platforms and Open Standards, the solutions required.
It is now time for European institutions to implement the policies needed to help the public and private sectors respect EU directives and regulations and gain full control of the technologies and the data processed to deliver better services while protecting European citizens’ rights.