August 16, 2017
On August 14, Judge Richard Seeborg of the US District Court for the Northern District of California upheld a ruling requiring Google to turn over Gmail data stored overseas. The ruling seems to be in conflict with a US Court of Appeals ruling in Microsoft v. United States where the court ruled that Microsoft does not have to turn over data stored in a European data center. The main difference between the two cases comes down to algorithms and data access. When it comes to Gmail, Google uses an algorithm to store the emails wherever it is most efficient, not based on the user’s location or privacy concerns, and Google’s staff can easily access and retrieve the data from the US. Thus, to rule otherwise, according to the judge, US warrant authority “would be arbitrarily confined based on where the data is located pursuant to an algorithm, not any territorially meaningful storage decision.”
Security, privacy, other risk professionals, and business leaders concerned about privacy need to react quickly to this ruling because it has implications for compliance as well as how your organization positions and markets privacy to its own customers. After years of endless breaches, privacy abuses, and revelations of widespread US government surveillance, individuals around the globe, but particularly in Europe, have become very sensitive to privacy.
Privacy isn’t dead; in fact, it’s more important than ever. This led the EU to replace Safe Harbor with the new Privacy Shield Framework as well as to significantly strengthen GDPR with new requirements and a max fine of 4% of global revenues (the deadline for compliance is May 2018). It also led many of the US cloud providers to build overseas data centers.
But having overseas data centers is not enough. Over the years, I’ve heard from several European-headquartered cloud providers and telcos offering cloud services that, since revelations of US government surveillance, have been doing a lot of business with clients that are just too nervous to do business with US-headquartered cloud providers. This latest ruling won’t help.
Security and privacy pros need to immediately:
- Ensure your US cloud providers store data based on policy, not an algorithm. Security, privacy, compliance, and legal teams need to be absolutely certain that cloud providers are storing data to meet your privacy and compliance requirements, not following the storage recommendations of an algorithm that usually stores the data locally.
- Overlay your cloud service with encryption and keep your keys. It’s hard to predict future rulings. Perhaps Microsoft vs. United States will be overturned, so all US-headquartered cloud providers will have no choice but to turn over data, even if it violates clients’ policies. In that case, unless you want to switch providers, the only way to protect yourself is to ensure your sensitive data is encrypted and you maintain your own encryption keys. That way, if the US government wants your data, they’ll have to try to get it from you. It puts control of your data back in your hands.