Winning the battles, losing the war
Max Schrems, whom we all know and love from his successful battle against the US as a Safe Harbour for European data, has won this week another victory at the Court of Justice of the European Union. The CJEU has just agreed to rule on whether a privacy-related legal action brought against Facebook can be treated as a “class action”.
— Max Schrems (@maxschrems) September 12, 2016
His last victory set alarm bells ringing in both the US and in Europe. For the Americans, the CJEU’s decision put into question their dominance of the cloud – and their cloud giants’ habit of storing Europeans’ data in the US.
But the result was hardly world-changing. The European Commission and the US authorities scrambled to create an EU-US Privacy Shield to patch the legal holes left by the Safe Harbour invalidation. Some 200 companies have since signed up to the new Privacy Shield.
But not everyone is happy. The European Union’s Data Protection Authority – known by the catching name “Article 29 Working Party,” remains unconvinced. And that’s because many European nations are resolutely opposed to the Shield.
And that brings us to Schrems second battle: he now wants the CJEU to rule that Facebook, perhaps the best known US cloud giant, routinely violates privacy rights, including those of the 25,000 Facebook users.
But will a ruling in favour of Schrems and his 25,000 Facebook friends really matter?
As we know from past decisions, the CJEU tends to toss the real act of responsibility back to the European Commission. The CJEU can rule that a law has been violated; but only the European Commission can actually propose NEW laws to address that problem. And if the past is any indication, the Commission is very unlikely to move against the Americans who dominate the cloud-services market.
Which forces us to ask: is Schrems fighting the right battles? Whether he wins or not, the case underscores the importance of companies being able to answer a simple question: Where is your data? “Somewhere in the cloud,” is not a suitable answer.
There’s a NEW battle to be fought: data sovereignty.
We currently live in a world where China is implementing its own series of “cybersecurity” measures, similar to the GDPR. In Russia, laws on data sovereignty are now in place and the government can impose penalties on businesses not adhering to the rules. Similarly, this approach to data is being adopted by Algeria, as well as other parts of Africa and the Middle East.
So companies need to get smarter NOW. Owning their own data and protecting their customers’ details will increasingly prompt governments – even EU nations – to defend privacy rights with the new tool of data sovereignty. That means data will increasingly be stored much closer to home, rather than on the other side of the world in the USA. Individual data solutions, which enterprises can implement or separate from the rest of the cloud, will proliferate.
Knowing where your and your customers’ data really resides: that’s the right war we need to win.