The US is the market leader in Cloud services, but European organizations are questioning how long this will last. French organizations are awaiting a directive from their data protection authority, CNIL, to address President Trump’s questionable Executive Order 13768 (EO 13768). This order is forcing the French – and other European nations – to second guess US third-party Cloud service handling of their data.
Titled “Enhancing Public Safety in the Interior of the United States,” the president signed the order on January 25, 2017, just six months after the EU Commission accepted the EU-US Privacy Shield Framework, which replaced the Safe Harbor agreement.
The questionable part within the order states: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not US citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” EU data protection authorities took several weeks to gauge the impact of this statement, which can be found in Section 14 of the order.
Duncan Brown, associate vice president of European infrastructure and security at International Data Corporation (IDC), believes that President Trump’s executive order has no impact on the Privacy Shield, because it applies to data maintained by government agencies. Admittedly, Brown said, “ … it did indicate how little concern the administration has for data privacy.”
Alan Calder, founder and executive chairman of IT Governance, took the sentiment one step further by asserting that Trump’s executive order does not support the Privacy Shield, nor doing business in Europe. “Anybody who doesn’t think data protection matters will have a hard time doing business in Europe.”
The EU GDPR versus the Privacy Shield threatens international trade relations
President Trump’s executive order, combined with his less than favorable, passive approach to cybersecurity has forced businesses overseas to rethink Cloud processing strategies, including who should host their information. The EU is challenging the Privacy Shield on two sensitive areas:
- US authorities’ access to EU residents’ data.
- The possibility of collecting bulk data.
The Privacy Shield has come under fire from the European Court of Justice (ECJ) because it does not align with the EU General Data Protection Regulation (GDPR). Specifically, in this case the Privacy Shield declares that the US can collect data indiscriminately. The EU GDPR firmly declares that any business that maintains the personal data of EU residents must adhere to its updated standards and be in compliance by May 25, 2018.
Any organization that ignores the EU GDPR can come under scrutiny in the form of fines, reputational damage, a reduction in stock value, and being prevented from doing business altogether.
EU CIOs consider alternatives to US-based Cloud providers
Now, back to the French awaiting CNIL cybersecurity directives. The initial instruction is to hire a Data Protection Officer (DPO) – a senior information security leadership role. According to CNIL, by the end of last year 18,000 organizations had enlisted a DPO.
EU organizations need to decide whether they will continue working with US Cloud providers or take the services back into their jurisdiction – completely or partially. Viable alternatives to US Cloud services are springing up in France. With headquarters in Paris, for example, Orange Business Services is rolling out new Cloud solutions to clients around the world. Microsoft Azure is investing in France to host Cloud facilities; Amazon Web Services has, for several years, already used French human resources and facilities for its overseas solution. All this is potentially taking away from the US Cloud solution market.