Data, Data, Data (Updated)


(Updated Weds 25th April)

With the lead up to the inauguration date for GDPR on the 25th of May I've noticed a massive uptick in last-minute consultation requests. Regardless of some opinion this is better late than never; however, I can't help but feel that a lot of the momentum is equally applicable to the instruments of law in effect today.

Although GDPR stresses specifics and enhances position it also lays out the fabric with which enterprises use to wrap their customer data.

Unfortunately the media seems to have largely forgotten the momentous impact Max Schrems and team have had on the appalling political attempt to bridge privacy and data protection across the Atlantic. I'm referring both to the Safe Harbor [sic] agreement as well as the equally as useless Privacy Shield agreement. Max appears to have had about enough of PS as well and is awaiting the 25th of May to lodge similar objections.

I can't stress how important it is to have people like Max doing what they're doing, whilst media and politicians try to dilute the message along the way. Of course when presented with base facts by brave whistle-blowers, those same politicians and tech execs suddenly describe the outrage and disbelief at such actions.

Even when they were served by the outcome of those actions.

In the midst of this and perhaps it slipped through because of the distraction (but not because the bill itself was hidden in a spending bill, apparently without a reading...that would be morally questionable at best), The CLOUD [Clarifying Lawful Overseas Use of Data] Act - which allows US law enforcement to acquire data via US companies from those companies servers overseas, without due process in the US nor abiding by the sovereign rights of the target countries hosting those servers.

Microsoft's rebuttal of the DoJ over the last four years has now been discontinued by the DoJ, and a new warrant issued under the CLOUD Act. Microsoft could still appeal to the Supreme Court against the CLOUD Act overall and it's implications for international law, although unlikely. I say could because US tech companies generally only make a token effort to appease the public's privacy concerns. I would imagine that Max is quietly adding more case paperwork to his existing piles as a result.

Nevertheless it goes to highlight that neither the US nor the UK are taking data protection and privacy seriously enough and so as part of the LSP internal review for our infrastructure / support services, security monitoring and investigation silos we've decided to move our data away from US organisations altogether over the next six months.

That process started in July last year with 'road tests' of various potential road-map components - the main reason there's been a complete lack of blog posts is because of the volume of assessment and security scan work involved. New vendors have been selected as a result and although we'll continue to offer clients solutions based on AWS, Google Cloud or Azure we'll be recommending that data tiers are solely the responsibility of European cloud providers.

This works well because of the regions available - all of the Big 3 US providers also offer nodes in locations within close proximity (and therefore minimal latency) of the European providers locations. So if there are solutions needing to leverage the Big 3 as well as EU cloud the impact will be minimal in most situations. For high-transaction rate, low-latency scenarios though we would recommend simply focusing on EU providers. 

We're also looking to establish an EU subsidiary although this will take more time to do properly, as this will enhance the legal protections available to partners and their customer data. The migration from US providers for our own infrastructure is already underway.

It also means that the huge advantage of EU data protection and privacy laws are at the heart of the core service, bolstered by the protections afforded in the UK where applicable. I'm not obviously not going to name names here for security reasons but am happy to discuss suitable options that may be available to your organisation.

Update

So despite this it looks like the EU is now intending to create a symbiotic policy which partners the US CLOUD Act. Outside of MLAT's this essentially means that EU countries can impose the same obligations on firms who have established places of business in the EU - If Facebook et al continue to have offices in places such as Dublin this will mean a bilateral enforcement across the Atlantic.

Of course it also means that UK authorities could compel a company to provide information (assuming the appropriate warrant is in place) held on overseas / EU cloud platforms.

If these are of concern then we would recommend a specialist service provider outside of the US, EU, UK and Australia - although we're satisfied none of this legislation should affect our customer base negatively, seeing that we have already removed the issue with US-based providers (being that the US has much lower data protection standards).

Comments

Popular posts from this blog

Scam Alert - DMR Financial

Scam Alert: iProfile / Vertifi / Jobzooma

Scam Warning - SpellJobs.com