New Privacy Shield is soon here - How long will it last this time?
Antti Toivanen
Business Automation and Integration | Product Management | Frends iPaaS Fellow | Integration Factory Builder
Yet another privacy shield is soon here. Great. How long will it last this time??
Privacy Shield - the third try
President Biden is about to sign the new Privacy Shield (PS) at the beginning of October. Its purpose is to address European concerns over mass surveillance by the US government. This is not the first try to achieve trust between transatlantic data transfers. Safe Harbour and earlier Privacy Shield (PS) were both nullified by EU court rulings. Those rulings go by the name Schrems I and II; see the illustration. (1)
Details on what's in the upcoming executive order are not yet public. It could be in effect earliest in the first half of 2023. New PS include rules on how US national security agencies can access and use data. Yet again. The earlier Privacy Shield made in 2016 and nullified by Schrems II in 2020 promised the same. The first PS (2016) included written commitments and assurance by the US to prevent generalized access (2). Safe Harbour (2000) agreement promised the same: rule out the use of indiscriminate mass surveillance. What has changed? A scepticism towards these promises is healthy as they have twice proven not kept (Schrems I and II).?
Mass surveillance at work
So how does US mass surveillance work? Details are not public, of course. National Security and so on, you know. For example, NSA's PRISM gathers data from US internet companies (Google, Meta, Microsoft, Apple, etc.). PRISM was revealed to the public via Edward Snowden's (4) leaks. With PRISM, US officials have access to email, video, photos, VOIP, chats and files stored or going through these US internet companies.?
PRISM watch the internet with court-approved search terms. This is a way to find signs of terrorist activities before the terrorist act occurs. Predictive surveillance means that PRISM monitors everything. Not only to investigate a person of interest but everything. Most of us approve of the reasons this is done - to prevent terrorist acts. However, the side product is still terrifying - a way to see everything a person does online. A way to profile anyone more accurate than the persons themselves can. Ironically, PRISM probably scanned this text before you read it.?
Will NSA cease to monitor EU citizens now? That remains to be seen.
CLOUD Act versus Privacy Shield
In 2018 Trump signed CLOUD Act. CLOUD Act allow US authorities to access data from US-owned firms - even when that data is on servers abroad. Privacy Shield (PS) focuses on transatlantic data transfer. In a sense, CLOUD Act allows surveillance on EU soil. No need to transfer the data to the US. Will the new Privacy Shield put rules on data access by US companies on EU soil??
领英推荐
How will the new Privacy Shield work with CLOUD Act remains a mystery.
Integration Platforms and Privacy Shield
Integration platforms receive and move critical data between systems. This is mandatory to automate processes or to publish APIs. The platform must follow the regulatory requirements the data enforces. For example, if the API or process automation manages personal information, GDPR applies. Healthcare data falls under HIPAA, and card payments under PCI-DSS.?
As the heart and centre of data flow, iPaaS is almost always considered a GDPR processor. GDPR processor is the party that processes the data for the party that controls it. Quite often, the party that bought the iPaaS (client for iPaaS provider) is the controller. The hosting party for the iPaaS is a subprocessor. For example, Frends iPaaS core runs in Microsoft's Azure by default. The history of Safe Harbour and earlier Privacy Shield shows a risk to the business. A new ruling, let's say Schrems III, might seriously impact business. Suddenly, your business is on an illegal platform.?
To mitigate this risk, Frends is available on an EU-owned cloud called Cleura. In this Compliant Cloud Frends, all the data remains on EU soil. With Cloud ACT in effect, the ownership of the parties running the Frends and underlying infrastructure remains in the EU.?
If you are interested in a compliant iPaaS, don't hesitate to request a demo.?
(1) https://www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/
(2) https://ec.europa.eu/commission/presscorner/detail/hr/MEMO_16_2462
(3) https://en.wikipedia.org/wiki/PRISM
(4) https://en.wikipedia.org/wiki/Edward_Snowden