Looking at Privacy Shield and Safe Harbour

With the United States and GDPR, worthwhile mentioning, just over a couple of slides, we have Privacy Shield and Safe Harbour. So Safe Harbour was designed to address the requirements of the European Union Data Protection Directive. It was created in 1998 and ran until 2015. And it tried to provide the same level of protection for information stored by United States’ entities who were dealing with European Union citizens’ personally identifiable information. And again, bear in mind, a telephone number can be classed as PII, or an email address, or a name, or an address. So most web based services will hold PII. So Safe Harbour was designed to address these requirements. And unfortunately, it was less than perfect.

So to manage Safe Harbour, it was a case that a business would self assert compliance. It would complete a statement saying annually that they were compliant with it. And in 2015, the European Court of Justice invalidated the Safe Harbour as an appropriate form of protection. And they cited legislation permitting the public authorities to have access, on a generalised basis, to the content of electronic communications of EU citizens’ data must be regarded as a compromise of the essence of the fundamental right for the respect for private life. So compromising the essence of the fundamental right to respect for private life. So for that reason, in 2015, there was some thinking, into 2016, as to what could provide an appropriate replacement.

Also, by 2018, we had GDPR rising, which afforded stronger protections. And so we had Privacy Shield that replaced the Safe Harbour model. So this provided a stronger mechanism. It was a stronger model. And it made, it created stronger obligations on the companies in the United States to protect the personal data of Europeans and required stronger monitoring and enforcement by the European, by the United States Department of Commerce and the Federal Trade Commission, who enforce the Privacy Shield program. This was including cooperation with the European Data Protection authorities. And the United States also made commitments that protection under US law for public authorities to access personal data for US citizens would be extended to European citizens.

And that Europeans would have the ability to raise inquiries with their local information agencies to query what was happening, and that these would be responded to by the American agencies. So this was a big change in 2016, with the Department of Commerce and the Federal Trade Commission and the European Union trying to agree a model by which some of these very large US run services, Microsoft, Google, Amazon, would be compliant with European Union privacy legislation. And this also prepared for the 2018 move to the GDPR, or General Data Protection Requirement. When looking at cloud considerations, we have a number of considerations. The first of these are physical. We want to understand where the data centre is. Are there any backups?

Is replication in place? So where is the data held primarily, but also where is any tertiary or replication data held, and potentially our backups? Here we want a balance between resilience and compliance.

For safeguards against human and environments, we need to understand what is in place. The physical security. Are the bars on the windows of our cloud data centre? Is it underground? Is there a risk of flooding? Within the data centre, is our data appropriately segregated physically? Is the data itself encrypted at rest? If it is encrypted, how? Are hashes and accounts stored? If so, how are they protected? So we want to understand as much as we can about the physical environment and about how our data is protected.