Global Data Protection
As ICT professionals, we understand that the new oil of the digital economy is data - it both fuels and lubricates the systems we use, and is in turn converted by them into useful products and services. As public sector professionals, we also know the requirement to keep people's data controlled - we deal not with shopping trends, but with some of the most profoundly personal pieces of data out there. That's why we carry out Data Protection Assessments for our projects, it is why we put the citizen at the centre of our decisions around data sharing and processing, and it is why we have strong laws such as GDPR that control what we can do.
The regulations that cover the use of data have been put in place to, broadly, ensure the subject of that data retains control and ownership of their data, and can make their own choices as to how it is processed. Now, this isn't an absolute right - the state and organisations can reasonably hold data about you to enable them to complete lawful tasks, and so forth. But it is a strong right, and covers a hell of a lot.
With the steady rise of cloud computing, the regulations about data use clearly needed to be much wider than just one country. There have been agreements about this for decades, and GDPR is just the best known iteration of the extra-territorial aspect of EU regulations. Basically, it extends data protections offered to EU citizens to everywhere that data is collected and processed, not just in EU states.
(I'm saying EU here, but it does indeed include the UK - GDPR was put into UK law, and still applies, and the UK has been added to more recent agreements with the US. I could say EU and UK everywhere, but this involves less typing. Also, that would miss out Switzerland, and I make a rule never to upset the Swiss.)
In reality, the biggest impact of this is on big tech companies, which tend to be based in the US. There have been a number of agreements put together to try to enable the confident sharing of data with these businesses, often for the purposes of providing the services that are their bread and butter - for example, Dropbox's business is all about storing data and making it accessible anywhere, which requires free movement of that data from the user's device to a storage server, primarily in the US.
The agreement I was most familiar with was the EU-US Privacy Shield, which basically had the US agreeing that (through various means) EU citizens could benefit from the provisions of the US Privacy Act, and give them access to the US courts. This was brought in from July 2016 because the previous data sharing agreement was declared invalid on October 2015 by the European Court of Justice for not providing enough safeguards for EU citizens.
In January 2017, President Trump signed an executive order stating that US privacy protections will, in fact, not be extended to non-US citizens. While this was repealed by President Biden in 2021, it suggested some potential issues. Inevitably, the EU-US Privacy Shield was also found invalid by the European Court of Justice in July 2020 as it did not provide adequate protection to EU citizens from government surveillance.
But never fear, the EU and US negotiated a new agreement, the EU-US Data Privacy Framework. Admittedly, while the European Commission declared it "adequate" (which I am sure is a term with specific meaning in this context, but, c'mon), the European Parliament passed a resolution saying the Commission should renegotiate it and not adopt it, as "the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection" but I'm sure it'll all be fine.
(The NGO NOYB is planning to challenge the DPF in court. So.)
Oh, and the bodies set up in the US to make sure the protections applied to EU citizens appear to have been gutted by the new Trump administration. Existing members of the Privacy and Civil Liberties Oversight Board were sacked from the 'independent' board by President Trump, a decision which was overturned in court, but an appeal is pending. And that is the body with, theoretically, the strongest ability to resist external pressure. It is strongly arguable that any re-evaluation of adequacy for the DPF would find it is no longer fit for purpose.
Without going ever further into this particular patch of weeds, it is clear that the transfer of personal data to the US has always been a legal problem. Measures equivalent to EU data protection simply aren't available in the US, arguably not even for US citizens. However, for decades this has been sort of hand-waved away by the European Commission and member states because, frankly, US tech companies have been the only game in town, and the potential for damage and exploitation by the US has not been considered major.
Times change.
The Trump administration has made it clear that they view the EU not as a partner, but as a competitor, or even as an adversary. The UK has tried to walk a path between the two, without much meaningful success. The consequences of the US's new view have ranged from insults, to tariff shocks, to threats to Europe's defence, and a near abandonment of Ukraine - who are fighting a land war in Europe against an enemy who shows no desire to dial back their ambition.
I recall lots of work undertaken to try to remove potential vulnerabilities in local government networks from the use of Kaspersky anti-virus software. The UK has banned major Chinese suppliers of mobile communication and network equipment, causing significant delays in 5G network rollout. These were done because of the fear untrusted foreign states could use these tools to access our data, or damage our ability to act.
In April, Microsoft published five European Digital Commitments, including an assertion they would "[i]n the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court".
On 15th May, AP News reported that the International Criminal Court's chief prosecutor has lost access to his email address - it appears various services are provided to the ICJ by Microsoft, but they deny specifically blocking the prosecutor's address.
Another of Microsoft's commitments is that "[s]ince January 2024, our European commercial and public sector customers have been able to store and process their data and personal identifiers for Microsoft core cloud services — including Microsoft 365, Dynamics 365, Power Platform, and Azure services — within the EU and EFTA regions".
Last week, a US judge ordered an Irish-based company to transfer Irish-based employee data from Ireland to the US IRS, even though it would breach Irish law, in particular GDPR.
This isn't to pick on Microsoft - they're just the highest profile example of a US-based tech firm which is trying to navigate these unknown waters. But it is clear that there are significant concerns which Microsoft is trying to address, alongside the likes of Amazon Web Services and Google. They have very strong financial reasons to push back against over-reaching US demands, but the key point is *where they can* - Microsoft themselves say, "we agreed to challenge any government demand for EU public sector or enterprise customer data where we have a legal basis for doing so".
A key point in the ongoing saga of data protections between EU and US is that the EU has to rely on the US following through on its legal commitments, that the EU has to believe the US will follow the rule of law, and respect the rule of law in other countries. It is clear that the current administration has difficulties with this, and it is unclear if this environment is likely to change.
Regardless of any short term changes, the reliance of the EU public sector on US based tech firms has been brought into sharp focus, and new scrutiny. When the US was a trusted ally, these concerns were remote, but they are becoming more acute every day. If we take action to prevent rogue states from having access to our data and infrastructure, why are we potentially handing it over to a state which may become less trustworthy in the future?
This is one of the key points of European data protection principles - we are protecting people not just against the current people in power, but against future people in power. We cannot know what their drivers will be, which is why we fundamentally distrust the over-sharing of data.
So, what can we do?
Well, not a huge amount right now. The US tech giants are, well, giants. There's not really a lot of choice out there, particularly when you factor in the rush for AI and the costs of change. However, there are a couple of quick things public sector clients can do now - Microsoft really have done a lot to try to offer reassurance and protection. (See? I told you I wasn't picking on them.)
Confidential Compute offerings provide additional protection, costs may vary.
Azure Key Vault and Microsoft Purview Customer Key offer some more security.
In the medium term, it is worth looking at where data is stored - there are European cloud storage operators out there, and their products will be worth a look. Often they can be linked to, for example, Microsoft 365, so they are not completely secure, but they enable the continued use of key applications. In addition, they do offer the ability to remove one of the elements from the single point of failure that M365 can be.
It is also worth looking at how we take advantage of AI offerings. Co-pilot is the easy option at the moment, as Microsoft are trying to bundle it in with everything. But do we really want to tie our AI strategy to a tool and company that may, through no fault of their own, have difficulty meeting our data protection standards?
In the longer term, there is a need to build the European digital infrastructure up. This means more datacentres, strong product offerings, and better trained staff. The simplest way to do this is through pump priming the market by guaranteeing public sector demand. Stating that 30% of public sector 'cloud' IT spend should be with European (and/or UK) companies will encourage investment, and help support start ups. Subsidised training in alternative providers will give us a strong human resource base. Eventually, the aim should be that these services can compete on their own terms globally, and so targets for European spend could be gradually wound down.
And more broadly, I would encourage you to ask your relevant authority, be it the European Commission or the UK government, to reassess the adequacy of the Data Privacy Framework given the facts on the ground, rather than waiting for what seems an inevitable defeat at the European Court of Justice. The polite ignoring of the situation does no favours to anyone, and leaves everyone uncertain.
Ultimately, while you may be legally able to rely on that adequacy declaration for the moment, we shouldn't be looking to make a legally defensible data protection decision, we should be looking to make the right one. At the moment, I don't think merrily sending data off to US firms meets that mark.