Last week a US magistrate ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. This comes only a week after President Trump issued an Executive order that weakened protections for data held in the US about foreign citizens.
Google says it is to appeal the court order as the organisation believes handing over the emails will put the privacy of non-US citizens at risk.
In October 2015 the longstanding Safe Harbour arrangements, allowing US companies to transfer EU citizens’ personal data in compliance with European data protection legislation, collapsed over fears about the bulk data collection activities of US intelligence agencies. Privacy Shield, its replacement, is now equally unworkable as European concerns about what these agencies could do under the Trump administration have not been addressed.
Nicky Stewart, commercial director at UKCloud, has made the following comments: “At the time of Trump’s recent executive order, US firms were quick to dismiss privacy concerns and the implied threat to Privacy Shield as a ‘complete over-reaction’, in much the same way that they previously dismissed Max Schrems before he succeeded in making the EUCJ declare safe harbour invalid. With the US DoJ appealing the Microsoft case, the Rule 41 amendments coming into force, Trump’s initial executive order with who knows how many more to come, and now the ruling against Google, there will be fresh concerns in Brussels, and European privacy campaigners are going to be up in arms.”
“Public sector bodies with contracts with US cloud firms need to make an immediate Privacy Impact Assessment, and if necessary, seek expert legal advice. They may need to scope out migration options to move workloads so data privacy and sovereignty can be assured. As they prepare for Brexit and GDPR as well as the Prime Minister’s new industrial strategy which actively favours UK firms for government contracts and procurement for growth in the post Brexit world, departments are going to need to weigh up the risks (in terms of data privacy and sovereignty and currency fluctuations) of doing business with non-UK providers.”
Nigel Hawthorn, Skyhigh Networks’ European spokesperson, believes Google should be praised for resisting, but warns that UK and EU cloud service users must increase the due diligence they conduct around cloud service providers (CSPs): “It’s always a welcome sight when technology organisations stand firm against courts or agencies in the interest of privacy. Similarly to Microsoft, Google’s decision to appeal the judge’s ruling to hand over the emails of Gmail users stored outside of the US should provide the millions of UK and EU users with confidence that the firm isn’t willing to simply bend to the courts without first checking that their requests are valid. Yet, all users – whether consumer or business – of cloud services must now assume that access to their data will be requested by courts around the world at some point and, therefore, it’s now vital for them to adopt and control their own safety measures."