If your organization houses some or all of its data in a major public cloud, at multiple points in time, that data will traverse geographic boundaries and jump across oceans.
If that service provider happens to be European, then when it jumps across to US territory, does data belonging to your European customers become subject to surveillance from US law enforcement officials and intelligence agencies?
That’s the principal question whose “yes” answer from the US prompted the European Union to suspend the existing “Safe Harbor” agreement last October.
At that time, the European Court of Justice ruled that the US had already violated that agreement by placing its own national security interests ahead of personal privacy rights.
13th Hour Agreement
On Tuesday, officials from the European Commission and the US Commerce Dept. announced their negotiators had reached an agreement, at what could be called the “13th hour,” for the re-establishment of a legal covenant for service providers transferring data between countries’ boundaries, replacing Safe Harbor.
“This result comes after very tough negotiations,” stated Commissioner Věra Jourová, during a hastily assembled press conference Tuesday afternoon, “especially over the past three months, where we have worked literally day and night to find an arrangement that protects the fundamental rights of Europeans and ensures legal certainty.”
It’s an agreement to reach an agreement, the final product of which has been re-dubbed the “EU/US Privacy Shield,” to help distance it from its failed predecessor.
The agreement was hastily announced two days after a unilateral deadline imposed by the EU had already passed, and after some media sources came to the premature conclusion that talks had collapsed.
“For the first time ever, the United States has given the EU binding assurances that the excess of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight mechanisms,” said Jourová.
“The US will provide written assurances — notably, from the office of the Director of National Intelligence and the White House.”
The way Jourová phrased it would make it seem — at least to an American — that the Commerce Dept. has vouched for the ability and willingness of the Executive Branch to suddenly change US law in response to European demands.
By comparison, Commerce Sec. Penny Pritzker only went so far Tuesday to praise the deal as a commitment between the two governments to work together.
The biggest issue here, by far, concerns the apparent creation of a kind of mitigation authority within the US court system, giving EU citizens arguably unprecedented rights of redress in US courts.
“Any citizen who considers that their data has been misused, under the new scheme, will benefit from several accessible and affordable dispute resolution mechanisms. Ideally,” said Comm. Jourová. “The complaint will be resolved by the company itself.”
That very broad statement implies that EU citizens who claim mishandling of their private data by a private US firm (as opposed to a law enforcement or intelligence agency) may have their cases heard in special US courts.
Overseeing those courts will be some kind of resolution authority, which at one point Jourová described as independent, and at another point as European.
It’s important to note here that the precise details of this agreement have not been worked out, and the two governments have agreed to work further on the matter through March and April.
Did a Wall Just Come Tumblin’ Down?
As is typically the case with all things political and geopolitical, there are issues under the surface that, though unspoken, may be at least as great as the protection of citizens’ privacy.
In November 2013, Deutsche Telekom boldly suggested the creation of an “all-German Internet” — a super-high-speed national communications service that would bypass the global, public Internet for premium services such as video communications, as well as private data exchanges between major, well-known, and authenticated clients.
That suggestion stirred attention in the European Parliament six months later, after German Chancellor Angela Merkel announced she was actively considering Telekom’s proposal.
She was also giving weight to arguments for a separate Internet encompassing the “Schengen Area” — the region of Europe, consisting mostly of contiguous nations, most of which are EU members, between whose borders the presentation of visas for other area members is not required.
Opponents to the idea likened it to a “new, virtual Berlin wall.” Joining those opponents was the United States, which in March 2014 issued a statement condemning the idea of a separatist Internet as “draconian.”
But later that year, a University of Zurich study [PDF] of sampled Internet traffic revealed that a little more than one-third (some 34.5 percent) of all TCP sampled packets sent by ISPs in Schengen member states were “compliant” with the goals of the original Telekom proposal.
One of those goals was 100-percent encryption of all traffic regardless of priority, which would place a considerable barricade in front of any authority with a mind toward surveillance.
Proponents would call that progress, while opponents would stress that about two-thirds of Schengen traffic stays completely inside the Schengen zone, despite reports from German ISPs that they actively try to maintain in-zone routing for better than 98 percent of packets whose sender and receivers are all inside the zone.
For a while, it appeared that US officials would lean on their opposition to Schengen routing, as a counter-balance to EU officials’ claims of bad faith. But in the wake of the Zurich research team’s report, discussion of the matter noticeably died down on both sides.
Changing the Status Quo
One of the issues emerging from the Privacy Shield agreement is whether European Union officials either agreed or implied to remove Schengen routing as an option for achieving the shared goal of a “single market” — where, in the context of a broader economy, Europe is perceived as whole as the US and Canada.
The creation of a kind of Internet wall around Europe, if it were to occur, would change the way the entire world’s cloud service providers (CSPs) route traffic between their data centers, impacting customers in North America, Asia, India, and Australia as well.
For major CSPs, having “availability zones” stationed worldwide improves the performance of online retailers and B2B services that do business with customers and clients worldwide. But it also improves the resilience and reliability of service between American service providers and American customers, as is the case for European CSPs and European customers.
Any single wall constructed anywhere on the globe, restricting the routes of Internet traffic based on geography, would have measurable impact on everyone’s ability to do business — but more substantively, as China knows all too well, on those countries adjacent to the wall itself.
US-based legal experts and attorneys are poring over what information they have been able to receive since the agreement was announced Tuesday afternoon, Eastern US time. Richard Santalesa, an attorney with Connecticut-based Sm@artEdge Law Group, is among them.
“At minimum, it [the announcement] messaged that the EU and US aren’t at an impasse,” Santalesa told CMSWire, “which many feared might be the result given voiced intransigence on each side in part, and the specter of the [European Court of Justice] sitting out there again.”