In something reminiscent of David and Goliath, the stone of Max Schrems’ landmark legal challenge has shattered the Privacy Shield that protects centralised service providers.
This is a really big deal. It means that the personal data of an EU data subject (‘person’) cannot be transferred from within the EU to the US without an appropriate mechanism. That creates a major issue for any organisation in the EU that’s using a service provider (such as a messaging app) that stores - or backs-up - data on servers based outside of the EU.
The ruling comes after several months of pandemic-related lockdown, which has seen organisations turn to messaging apps and collaboration to support widespread working from home. Consumer-grade messaging apps have seeped into organisations, and collaboration tools have been put in place with more haste than thought.
All of which means that centralised messaging apps such as Signal, Telegram and WhatsApp are now under intense scrutiny, as well as collaboration tools such as Slack and Microsoft Teams, and video calling services like Zoom.
The rise of digital sovereignty
Conscious that centralised systems see their data stored on third party servers in territories outside their own, governments and NGOs have been moving towards digital sovereignty for quite some time.
Certainly for governments, on-premise is a very attractive option. The notion of cloud is not necessarily wrong; at least not at an IaaS or PaaS level, but passing data over to a third party that stores it on servers in a different jurisdiction is now a liability.
In the corporate world, the issue of data residency has been an unsexy, complex topic towards the bottom of both IT and Risk’s long to-do lists. Privacy Shield, the EARN IT Act and the Lawful Access to Encrypted Data (LAED) Act are seeing data sovereignty suddenly shoot up the rankings to become a boardroom issue.
Companies are now having to assess their exposure and, suddenly, the idea of handing over sensitive company data to a third party vendor - who stores that data in a completely different country, with different privacy laws and a different privacy culture - seems startlingly shortsighted.
Decentralisation is the foundation for privacy
The idea of decentralised computing for privacy is not new. It can be traced back to the work of David Chaum and his 1979 decentralised computer system, Mix Network, which paved the way for other protocols such as Tor and Matrix; the open, end-to-end encrypted decentralised communication protocol that Element uses.
The original web, of course, was also an open and decentralised network but has become far more centralised - and is now dominated by centralised providers such as Google, Apple, Facebook and Amazon.
A decentralised approach enables organisations to participate in a global open network, but to do so while retaining their independence to host and manage their own data - free to choose their own deployment solution, including which countries and jurisdictions.
Conversely the centralised models of Apple (iMessage), Microsoft Teams, Signal, Slack, Telegram and WhatsApp lets those proprietary systems transport, host and own their customers’ data. Some of those organisations’ business model is based upon data mining their customers’ data. Even when that’s not the case, these data honeypots attract all sorts of nefarious attention (such as the recent Bitcoin scam on Twitter and the ransomware hit on Blackbaud) including commercial data mining and - as evidenced by EARN IT and LAED - routine surveillance.
Matrix, in contrast, provides an open decentralised network that also offers end-to-end encryption and cross-signed device verification. It is the foundation layer for secure, private, decentralised real time communications.
EU rules apply outside of the EU
When the EU introduced General Data Protection Regulation (GDPR) the implications were felt worldwide as it impacted any organisation intending to interact with people protected by EU law.
GDPR is a relatively straight-forward and high-level piece of legislation put in place to protect people’s rights to personal data protection (indeed it arguably simply extended existing pre-digital consumer protection rights). GDPR underlines that the EU takes the protection of personal data seriously, even if in practice this goal has not always materialised.
Similarly, the Court of Justice of the European Union judgement on case C-311/18 (colloquially known as Schrems II) that the EU-U.S. Privacy Shield agreement fails to provide sufficient protection for personal data, also has ramifications outside of the EU.
It means nearly every privacy consultant, lawyer and Data Protection Officer should be going through a review of their organisational data flows before agreeing on any next steps.
None of Your Business (NOYB), the NGO headed up Max Schrems who challenged Privacy Shield (and its predecessor Safe Harbor) offers this checklist of steps:
- Review all your external data flows (including to EU processors or controllers that in turn may transfer data to a non-EU entity) for data flows to third countries
- Identify the relevant legal basis (e.g. Adequacy, Article 49, Privacy Shield, SCCs, etc)
- In relation to 50 USC § 1881a (= FISA 702) and EO 12.333 identify especially any US "electronic communication service providers" and any data flow to the US that is not secured against wire tapping by the NSA (see model requests below)
- Stop your data transfers if:
- You or one of our partners still use the Privacy Shield
- A relevant US entity is an "electronic communication service provider" or
- You cannot protect your data flows from NSA wire tapping
- Notify the DPA if you continue to use SCCs, BCRs or any other instrument despite a negative assessment
When six worlds collide
It’s difficult to know if the Court of Justice of the European Union ruling that invalidated the EU-U.S. Privacy Shield is primarily a clash of ideology, government or technology. But it is safe to say that all three are involved, and that as a result we’re seeing six worlds collide.
The ideological difference is perhaps the most fundamental. It sees the EU’s data subject centric stance in direct conflict with the US’ preference towards centralised control, and a greater comfort-level with technology-enabled surveillance.
Whatever the drivers and complexities, European governments are clearly warmer to open source software than traditional proprietary vendors. They are also demonstrating a growing preference for decentralised systems that grant data sovereignty, as opposed to working with centralised service providers which sees government data locked into the systems of overseas vendors.
For our point of view, we see traditional centralised systems (Slack, Teams, Discord, Signal et al) being displaced by a grass-roots open-source movement. The negative effects of data centralisation have become incredibly clear in recent years thanks to Cambridge Analytica, unilateral algorithmic filtering and surveillance capitalism. The pendulum is swinging back towards an internet which is more open, decentralised, secure and vibrant.