Trump and the EU-US privacy shield laws

On January 25, the Trump administration injected a whole new level of uncertainty into the already-fragile EU-US data flow agreement, known as the Privacy Shield.

With the stroke of a pen, President Trump signed an executive order entitled “Enhancing Public Safety in the Interior of the United States,” which directed agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

It didn’t take long for EU officials to respond — irately. Jan Philipp Albrecht, the rapporteur for the EU’s data protection regulation, took to Twitter to threaten the entire existence of the Privacy Shield, writing that the EU should “immediately suspend” Privacy Shield and “sanction the US for breaking EU-US umbrella agreement.”

In the scheme of things, however, Trump’s executive order does little to jeopardize the immediate legal standing of the Privacy Shield, which many of the world’s largest tech companies rely upon to transfer data between the US and the EU. The Privacy Act referenced by Trump deals with the way federal agencies store personally identifying information—something outside the scope of the Privacy Shield. Over the weekend, the European Commission itself moved to dismiss these concerns, noting that the Privacy Act and the Privacy Shield don’t overlap.

What the reaction to Trump’s executive order illustrates—and what the initial European response shows—is how fragile the current relationship is between the EU and the US over data privacy.

Indeed, the uproar revealed how easily infuriated European lawmakers are by American standards, which many see as unfair and freewheeling. And it won’t be long until the next spat, or perhaps even feud, in which the whole regulatory system undergirding EU-US data transfers is threatened to be upended. If there’s one thing, in short, the tech community can count on in this area, it’s uncertainty.

European Commission

Flags flying outside the European Commission

So how should companies respond?

We’ve found three general approaches that can help to manage the risk companies are facing. Putting these approaches into practice now, before new regulations appear—or old ones are threatened—is the surest way to avoid being caught flat-footed.

Rethinking Data Privacy

First, we recommend thinking about data privacy in three separate areas: collection, usage, and audit.

Data collection needs to focus on user accounting—what user information is stored where, how to uniquely identify users consistently, what the user consented to, and how to capture consent. This is difficult information to capture, surely, but it’s important to get things right here to set yourself up for success with the next area.

When it comes to usage, we’ve found this to be the most complex area for customers, in that it requires managing access controls across data silos. Usage also needs to cover perturbation, masking, and purpose-based access to data.

And then there is the audit, which requires capturing all actions taken against data to build reports, sometimes within a relatively short period of time. The point here is to be able to prove, on demand, that the governance standards you’ve implemented are actually being followed across your organization.

Data Privacy vs. Data Security

Second, it’s important to understand the difference between data privacy and security—they might overlap, to be sure, but they are not the same thing.

Many mistakenly think of concepts like encryption and firewalls as data privacy solutions.  Privacy is, above all, about trust between your company and your consumer (whether it’s between you and an individual, or B2B). It’s about clearly explaining how you’re going to protect that trust at the outset of your relationship, and then making sure you have protections built in to preserve that trust. That means there need to be separate methods to expose data internally and externally within your enterprise (i.e., across business units), and between your enterprise and others as well. This requires different controls in addition to security controls, some based on who can access what piece of data when, but also ones that can limit who can use what piece of data for specific purposes.

Beware of Data Lakes

The temptation, all too frequently, is for large enterprises to put everything in one place. While consolidation always seems like a good way to manage access in a single place, these efforts usually just lead to the creation of another copy of the data (one that needs to be constantly updated) and can compound access management problems.

Instead, we recommend a data abstraction layer across your silos, which will allow you to enforce and audit the controls on your data without creating unnecessary complexity or time delays in accessing or ingesting that data. Companies that move to create a data lake should do so for data processing reasons, never data accessibility reasons.

From Uncertainty To Advantage

Certainly, the Trump administration’s first few days in office have brought a new level of uncertainty into the global data privacy regime — a precarious framework to begin with. But if and when this regulatory landscape begins to shift, companies with the right solutions in place needn’t be caught off guard. On the contrary, as their competitors scramble, these companies will find themselves with a new competitive advantage.