A recurrent theme on this blog has been the growing importance of controlling cross-border data flows, in part because of concerns about privacy. One increasingly popular approach with governments is to require data localization, whereby a country’s personal data remains within its borders. Although some companies like Facebook have been fighting this tendency, others providing digital services have merely adjusted how they operate. Here, for example, is an interesting move by Microsoft:
Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU.
Microsoft is doing this, it says, as “another step toward responding to customers that want even greater data residency commitments”. A key question is what happens if the US government demands access to data held within the EU. A FAQ about Microsoft’s new “EU Data Boundary” explains: “We will challenge every government request for an EU public sector or commercial customer’s personal data – from any government – where there is a lawful basis for doing so.” However, as privacy expert Alexander Hanff points out: “Even when the new EU Data Boundary is completed it doesn’t make any difference from a legal perspective because FISA 702 and US Cloud Act still gives the US government unfettered access to the data (despite being stored in the EU)”. For this reason, back in October last year, the French data protection authority ruled that US companies can’t be trusted with personal data about EU citizens, even if it is kept within the EU. Microsoft’s announcement of the EU Data Boundary notes: “Many of our services put control of customer data encryption in customers’ hands through the use of customer-managed keys”. But that doesn’t help if the keys are available to Microsoft, as they must be when the latter is performing computational tasks on customers’ data. It’s irrelevant whether the keys are “customer-managed”: if Microsoft has access to them, so does the US government.
As Hanff writes, Microsoft will be fully aware that its EU Data Boundary is unlikely to satisfy the Court of Justice of the European Union if and when a legal challenge is brought. It does at least buy the company some time before that happens. Google isn’t so fortunate: the privacy expert and activist Max Schrems is already on the case, as we reported last year. Schrems is currently arguing before the Austrian Data Protection Authority that Google is not compliant with the GDPR because it is still sending data from EU Web sites to the US. In a new press release, Schrems is quoted as saying:
Google has to hand over all data under US law. It’s grotesque that they argue to have fences and signs – US surveillance laws are also applicable behind fences. Standard encryption doesn’t help either, as Google is required to hand over encryption keys too. In 2019 alone, they gave the US government data on foreigners more than 201,000 times.
In the face of the continuing failure of the Irish Data Protection Commission to enforce the GDPR in a timely and stringent fashion, other data protection authorities around the EU are starting to take action. In Germany, for example, the Bavarian Data Protection Authority found the use of the email marketing platform Mailchimp to be unlawful because it involved sharing customers’ email addresses with a US company that might in principle be subject to data access by the US intelligence services. More recently, the Portuguese privacy watchdog CNPD ordered the country’s National Institute for Statistics (INE) to suspend the flow of personal data to the US, because it had outsourced the operation of the national census to Cloudflare:
Cloudflare is an undertaking established in California. By the type of services which it provides, it is directly subject to the US surveillance legislation for the purposes of national security, which imposes on it the legal obligation to give the United States authorities unrestricted access to personal data held or kept by Cloudflare, without being able to inform its customers of that fact.
As an article on the DisCo site warns, if other European data protection authorities follow suit, de facto localization policies will become commonplace in the EU, with serious implications for cross-border data transfers.
The authorities in the EU and the US are well aware of these developments, and are working to ensure they have access to data held in cloud computing systems. Writing for the ORF.at site, Erich Moechel reports on an EU document marked “sensitive”, with details of negotiations between the EU and US to allow “cross-border access to e-evidence“. In particular, the EU side wants direct access to data held by the cloud storage systems of WhatsApp, YouTube and Zoom. Doubtless the US side has similar demands for accessing cloud computing systems based in the EU. Although not much in the news, these battles really matter for the future of online privacy. They will determine whether information stored and processed in the cloud can ever be truly safe from government access. If it can’t, it may be that some organizations start turning away from cloud computing, and back to on-site facilities in order to guarantee the privacy of their customers.
Featured image by Lynn Greyling.