Data Privacy: U.S., Europe Head in Opposite Directions

Posted 05/30/2017 by Nigel Tozer

With a recent, but less publicized, executive order from President Donald Trump, things are happening on both sides of the Atlantic Ocean with regard to personal data. And it looks as though the U.S. and the European Union (EU) have varying ideas about which direction to take. 

We all leave a digital trail these days, just going about our daily business. We don't think about it much, and we often consciously choose to trade this personal data ourselves in exchange for free services.

Think about it: your Internet searches; social media; the websites you visit and your location while you're doing it; even exercise activity and your home heating usage via a smart thermostat all have data harvested and monetized by big business. Much of this you might not care about, but personal medical records, mental health, legal records, finance et al. or other areas probably cross the line for you. It's personal after all. The trouble is, the lines between what's shared and kept truly private are blurring.

Some camps think that the pendulum has swung too far in favor of business and that there should be a rebalancing with more power handed back to the individual. While this view can be found in the U.S. as well, it's the EU that has chosen to legislate to protect its citizens, with GDPR coming into force in May 2018. It's not just GDPR. There is another EU regulation due to come into force at the same time as GDPR, intended to protect personal data in electronic communications. 

It's this piece of proposed legislation that is at odds with the executive order from the president, which scraps new protections due to be implemented by the end of the year that were made law during the Barack Obama presidency. Protections would have forced ISPs to get clear permission from users to share personal data such as "precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications."1

Furthermore, ISPs would have been ordered to allow their customers the ability to opt out of the sharing of less sensitive information, like an email address.

It's not just this executive order that may cause U.S.-EU clashes over data privacy, though. Another order, somewhat buried by the recent immigration-led stories, cast doubt over the future of Privacy Shield, the replacement for the Safe Harbor agreement. Indeed, a single court case 'cast doubt' over Safe Harbor, and this eventually killed it. Without Privacy Shield, it is considered that GDPR would make it illegal for EU businesses to use U.S.-based companies to process data, which would have a big impact on cloud based services. In fact, Privacy Shield was created with GDPR in mind. For those in the UK, this is complicated somewhat further, because GDPR will become law next year. But when the UK exits the European Union in 2019, it will also exit Privacy Shield at the same time.

An individual's privacy may seem a long way from where Commvault play in the data landscape, but it is actually deeply intertwined with what we do, and the value we add. Take Privacy Shield as a start; being able to easily encrypt and move data and workloads between cloud vendors provides a contingency for the current level of uncertainty for EU and U.S. businesses. In addition, Microsoft, Amazon and others are tripping over each other to build more capacity in Europe, so there will at least be somewhere for EU businesses to relocate to if things remain unclear, or worse. 

In the case of GDPR, Commvault's ability to index data across a company’s whole estate - including public cloud - can really help to get a handle on where PII (Personally Identifiable Information) is stored, and even set policies to manage that information by its content. The Commvault platform also adds value on many specific articles and principles in GDPR, such as the right to be forgotten, data minimization, breaches (on endpoints), protection by default, data transfers and more.

Personal information is an intrinsic part of modern business that cannot be ignored, and with GDPR setting a new benchmark for its protection, the tug-of-war between those that want to exploit it and those that want to protect it, is set to continue for the foreseeable future.

Learn more about GDPR via our recently released report: "IDC: Five Essential Steps for GDPR Compliance." Also watch our on-demand webinar: "IDC GDPR Survey Results – How Do You Compare?"

1 - Anger as U.S. internet privacy law scrapped