boscorelli - Fotolia
French organisations have been listening intently to their local data protection authority (CNIL) in the hope of finding a clear path forward following US president Donald Trump’s executive order concerning data protection.
The order came only six months after the EU Commission had accepted Privacy Shield, the patchwork agreement that replaced the Safe Harbor Framework shortly after Safe Harbor had been overturned by the European Court of Justice (ECJ).
The executive order in question was entitled “Enhancing public safety in the interior of the United States”. Buried deep down in that order lies Section 14, which read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
This one statement caused EU data protection authorities to pause for several weeks to evaluate its impact. But, according to IDC’s Duncan Brown, the Trump executive order applied only to data handling by government agencies, so it had no legal impact on Privacy Shield. “However, it did exacerbate the nervousness that was already out there,” he said. “And it did indicate how little concern the administration has for data privacy.”
According to Alan Calder, CEO at IT Governance, the message threatens US business. He said: “Trump’s executive order is not supportive of Privacy Shield, and it’s not supportive of doing business in Europe. Anybody who doesn’t think data protection matters will have a hard time doing business in Europe.”
For the time being, the world’s biggest cloud providers are based in the US. But Trump has helped open up an entry point for EU-based competitors. In concrete terms, his executive order has motivated European CIOs to rethink their cloud strategy, and to look for alternatives to working with US-based providers.
Let’s not forget that the main reason Safe Harbor was shot down by the ECJ was that the US collects data indiscriminately. And with the current US administration’s obvious disdain for data privacy, there is no reason to think Privacy Shield won’t suffer the same fate.
Fragile from the outset
Calder said: “Privacy Shield was a patch put together at the last minute. After Safe Harbor was declared invalid, there was a long period of negotiation, which resulted in Privacy Shield. Like most patches or temporary arrangements, Privacy Shield is fragile. Only about half the number of companies are registered for Privacy Shield as compared to Safe Harbor. I think it’s been fragile from the offset.
“If somebody has a particular complaint, and the money to bring the action before the European Court of Justice, they can do exactly as what happened for Safe Harbor. Privacy Shield is just window dressing.”
To make matters worse, the bar was raised a little higher in May 2017 when the EU passed the General Data Protection Regulation (GDPR), which is set to take effect in May 2018. Any company that deals in European data will need to adhere to the new standards set by GDPR.
IDC’s Brown said that to understand the complexity of data privacy, consider the example of an international hotel chain with a loyalty programme. “The hotel would have to know that I’m in the EU as opposed to New York to determine how to treat my data,” he said. “But just tracking my location is in fact a case of tracking personal data.
“The hotel could make the decision to treat all data as if the subjects were in the EU. But then it would be at a competitive disadvantage in the US. Or the hotel chain could decide to just ignore GDPR. But then it would be subject to fines, bad press, and possibly other actions that would severely constrain its ability to do business in the EU.
“That is a business decision the hotel will have to take. In any case, GDPR creates uncertainty and cost for a lot of organisations.”
Hire a DPO
But the French seem to be willing to take on the extra cost. Even before Trump’s executive order, French organisations were listening intently to CNIL in the hope of finding a clear path forward. CNIL’s number one recommendation is to hire a data protection officer (DPO). For most private companies, a DPO is optional, but for government agencies and companies that often work with the government, a DPO will be a requirement once GDPR takes effect.
A DPO is an extra salaried employee – and an expensive one, at that. Although this might not be much for a large organisation, it puts a strain on smaller entities. Nevertheless, according to CNIL, by the end of last year, 18,000 organisations had already designated a DPO. A DPO is an additional expense for French companies, but it is far less than the potential fine for violating data protection laws. Fines can be as high as 4% of the violating company’s revenue.
With the prospect of large fines, and a US president who is at best unpredictable and at worst downright opposed to data privacy, most French CIOs are erring on the side of caution by opting for one of two approaches. Their first, and safest, option is to use EU-based cloud providers. The second best option is to go with a US-based cloud provider, but insist that the data remains in the EU. In either case, the US loses jobs to Europe.
The results are already being felt in France. French-based Orange Business Services is rising to the challenge with new cloud services. And US companies are running services using French employees and French facilities. Amazon Web Services has been operating cloud facilities in France for several years. Now Microsoft will be investing in France with Azure facilities this year.