Is the Privacy Shield about to get Trumped?
UK cloud firms poised to cash in on a new US executive order restricting data privacy rules to US citizens and permanent residents
"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
That is section 14 of an Executive Order signed by US president Donald Trump, in a bid to improve public safety in the country, which has sparked concerns from some in the UK cloud channel and muddied the waters significantly for customers who are increasingly concerned about the privacy and security of their precious data.
The legal frameworks governing data flow between the US and Europe are complex and fast-changing, and with the UK government's fingers resting on the trigger of Article 50, things could get even more complex. Safe Harbour - a self-certification scheme signed by US firms promising they will uphold certain privacy standards - was scrapped following a high-profile legal case, and was eventually replaced with the Privacy Shield, which is now in force. To complicate matters further, the new GDPR law is due to come into effect next year, enforcing stricter penalties on companies whose customers' data is breached due to cybersecurity issues. And on top of this, the UK's imminent departure from the EU will mean UK-specific law will need to be drawn up on how data is protected and transferred to the US, and its president's "America First" mantra could make negotiations even more delicate.
UKCloud has spoken out amid this significant uncertainty, looking to lure customers of US firms to its own UK-owned, UK-hosted services.
"We have entered an era of uncertainty as the Trump administration takes office, with potentially many more unsettling Executive Orders to follow," said UKCloud's cloud strategist Bill Mew. "As a result, many European organisations with systems or data that require specific data sovereignty and privacy guarantees will surely begin to move away from US public cloud providers, in favour of local providers that are beyond the reach of intrusive US regulations.
"All public sector bodies with contracts with US cloud firms need to make an immediate privacy impact assessment, and if necessary, they need to be scoping out migration options to move workloads to where data privacy and sovereignty can be assured."
This is not the first time UKCloud has spoken out against its US rivals in recent weeks. Last month it took a wide-ranging swipe at AWS and Microsoft, claiming, among other things, that they do not contribute properly to UK GDP, keep their skilled workers in the US, and invest only in superficial, crowd-pleasing policies. But in light of Trump's Executive Order - which brought privacy to the fore - it had another dig at US firms in general.
Mew added: "If they can offer a level of surety that Trump isn't going to further diminish things then the customer is safe."
Overreaction
Quick to rain on UKCloud's parade was Sheila FitzPatrick, NetApp's US-based chief privacy officer, who said that although she understands UKCloud's position, it's just a sales pitch.
"The reaction from the UK cloud providers is certainly normal - they are looking at it as an opportunity for them to grow their business," she said. "But I think there is a fundamental misunderstanding of what the Executive Order really means. Even here in the US there was confusion.
"The order is immigration-related and it limits privacy protection under what is called the US Data Protection Privacy Act of 1974. The important thing to understand is that that act only governs the collection and use and disclosure of personal data by the government in its interaction with other government agencies. It does not come into play regarding business-to-business international transfers. The initial thought of 'oh my gosh, this is going to invalidate Privacy Shield and we won't be able to move data' was an overreaction."
She also made the point that it is not just the US which has strict laws of this kind, and pointed to the UK's Investigatory Powers Act 2016. The divisive act was passed in November and is designed to make provisions about the "interception of communications" and the "acquisition and retention of communications data, bulk personal datasets and other information".
"In the UK, you have the Investigatory Powers Act which is very similar to the US where it does allow the government to do mass surveillance and to access personal data," added Fitzpatrick. "I wouldn't say there are 100 per cent guarantees that your data is any more or less protected in the UK than it would be in the US."
British cloud provider Memset's head of security Thomas Owen agreed to an extent, labelling the act "embarrassing and not good for anyone". But he did say there is an important distinction between it and similar US laws, as indicated by Trump's Order.
"At least in the EU… UK law is understood and recognised," he said. "So there is a legal consistency and an agency of making laws which is cognisant of its own laws. "Whether [Trump] is good, neutral or bad, he is definitely on the chaotic end. We're adding an element of inconsistency and chaos that doesn't have any care about our legal system."
He added that Memset gets a lot of attention from the public sector and privacy-oriented customers because it is extremely clear about its British credentials.
No dog in the fight
While US firm NetApp and British outfits UKCloud and Memset have clear advantages to gain from talking up the benefits of their own country's legal frameworks related to data, Renzo Marchini, privacy and cloud lawyer at Fieldfisher, is a neutral party.
He said that too much should not be read into Trump's Executive Order on this side of the pond in relation to data and privacy.
"Privacy Shield is in danger because US law enforcement has lots of strong powers," he said. "But no, the Executive Order will not kill off US cloud business in Europe - immediately or in the medium term."
He said that before the Privacy Shield came into force, there was a period of months when there was no clear alternative to Safe Harbour, and US companies had no problem selling cloud services into Europe.