Last week, the EU Court of Justice struck down the EU-US Privacy Shield agreement
This agreement was the mechanism under which US companies were able to process and use privacy-related data since a similar ruling in 2015 with respect to the old Safe Harbor mechanism.
The implications are wide and far reaching, and companies of all sorts will scramble to demonstrate compliance with the Standard Contractual Clauses, or SCC, that can be used in contracts to ensure privacy-related data is treated right.
This is especially difficult as many organizations have turned to Software-as-a-Service and the data centers behind them. The question has now become how do CIOs and CISOs exercise data autonomy and easily identify which vendors can make the journey soon enough to avoid fines versus which ones can’t. In other words, which ones operate on a privacy-by-design principle and which ones don’t.
One term we will hear a lot is Data Sovereignty, the principle that data should stay in the national or even regional physical jurisdiction to ensure that that region’s laws and practices are the ultimate authority.
This is closely related to but not the same as Data Autonomy, which to put it simply is about authority and control over data: you decide where it should be, how it should be used, who should see it, how to correct it and how to ensure your policies happen the way you want them to. There’s overlap between the two ideas, but it’s not 100%.
The SCC aren’t just words to paste into a contract. They are measures that must be reflected in technical architectures and business practices. Companies have to be able to assure Data Autonomy technically and then to ensure strong business practices like onward use of data and it privacy, handling claims and statements of purpose.
Of the two, the first is the hardest to do if data structures, applications, storage, use cases and other interactions with data aren’t private-by-design.
For decades now, we have talked about secure-by-design as a principle: that software must be architected and coded as close to source as possible to use strong cryptography, to account for identity and access, for updating and patching and so on.
To be private-by-design will require security be done well, and that the notions of data autonomy and data sovereignty be considered early on too. Adding them later will be expensive and extremely difficult to bolt on.
By contrast, changing business processes is much more simple. Hiring people in the right places, creating policies, and setting up operations are human efforts and can happen in weeks.
Changing architecture takes years, and adding it late in the game can and will lead to performance degradation, availability issues, feature limitation and hard-to-prove and hard-to-verify claims. Audits will be especially painful when things get up to full speed.
After inspecting data in-house, the dialog in boardrooms should be assessing what employee, customer and partner data is in non-organization, third data centers. Are you aware of where it is and can you determine what happens to and with it?
And then it’s time for the tough conversations. Vendors will have to provide timelines for SCC compliance, and the warning signs will be equivocation over what’s needed, claims that Big Data or machine learning (or even AI) requires pooling of data (which it does not) or attempts to redefine data.
In the end, excuses will be many; but now is the time to make sure that you have Data Autonomy and can enforce Data Sovereignty. Privacy restrictions and rules will get ratcheted up, and any vendor in any field that can’t give a timeline for how and when they will demonstrate this isn’t future-proof with respect to privacy.
Data isn’t a right to possess; it’s a privilege to interact with. The EU model will start to influence more, and even if we get a Privacy Shield 2.0 (Safe Harbor 3.0?) will only give a temporary reprieve to IT and security vendors collecting vast amounts of data.
It’s also a wake up call to make sure that data is, in fact, used for the purposes it’s collected for and not for business models behind the scenes. The privacy revolution is ongoing, and the recent EU rulings aren’t the end of the book but rather are at most the end of an early chapter in a longer story.
Let’s all work to get private-by-design into all that we do, especially in a work-from-anywhere world with more and more cloud services and third party data centers in use.