A few weeks on and many people within the technology industry are still reeling from the shock of Donald Trump’s election win. Although Trump did not go to the polls with a technology policy, what he said during the election campaign was enough to scare and alienate quite a few US technology companies.
Taking a particularly hard line on digital surveillance, amongst other things, the President-elect called for a boycott of Apple when it refused to unlock the iPhone belonging to San Bernandino gunman, Syed Farook, back in February this year. Perhaps influenced by Trump’s outcries, a US federal magistrate subsequently ordered the company to help the FBI unlock the iPhone; Apple refused to coordinate on the grounds that the step would threaten the security of its customers.
The President-elect also encouraged Russian hackers to retrieve emails from Hilary Clinton’s private email server and tweeted that net neutrality was “a top down power grab” of the internet, a view recently personified in his hiring of Jeffrey Eisenach and Mark Jamison for his Federal Communications Commission (FCC) transition team. Eisenach and Jamison are known net neutrality opponents. Trump has also said that he believes that the internet should be closed to fight ISIS terrorist recruitment. Comments like these present his beliefs on data protection in an even more controlling and authoritarian light than previously perceived.
Trump’s stance on surveillance is unlikely to foster much trust with the European Commission, which already holds a deep suspicion of US technology companies, originating from the 2013 release of NSA global surveillance information by former CIA employee Edward Snowden. The documents released by Snowden revealed that the NSA had tapped into Yahoo and Google data centres to collect information from hundreds of millions of account holders. This damage of trust between the EU and the US could lead to significant implications for both the EU’s General Data Protection Regulation (GDPR) and the Privacy Shield agreement.
GDPR will come into force in the UK in May 2018, irrespective of Brexit. Under this new regulation, a data subject (for example, a citizen) will be required to give clear and unambiguous consent to the processing and storage of their personal data. They must be able to withdraw as easily as they give consent. If Trump follows through on his stance on surveillance, GDPR compliance is going to be a challenge for US companies.
The rollout of Rule 41 on 1st December 2016 represents a fresh obstacle by creating further conflict between European and US lawmakers. Rule 41 authorises US courts to issue warrants that allow law enforcement agencies, such as the CIA and FBI, to remotely access, search, seize, or copy data on computers, wherever in the world they are located. It is almost the polar opposite of GDPR, which intends to strengthen and unify data protection for European citizens. European companies will be wary of US data centre operators and cloud service providers if they believe they will be compromising the privacy of their own customers.
For an enterprise that handles large quantities of personal data, it probably won’t make sense to replicate an alternative, non-US platform, in order to cater for those citizens who object to being exposed to a high risk of surveillance. In view of these new concerns around surveillance, the EU-US Privacy Shield, which was introduced specifically to ensure data being transferred between the two regions was still protected by EU legislation, will be reviewed by the Article 29 Working Party next year.
The Privacy Shield is not based on legislation that requires an act of Congress to reverse it, rather it is a written commitment from the US that, in the eyes of the Working Party, lacks concrete assurances. In the current political climate, it is difficult to second guess what will undermine Privacy Shield first: Trump hardening the US position on surveillance, or the Article 29 Working Party reacting to the stance.
Image Credit: Flickr / Matt Johnson
Nicky Stewart, Commercial Director, UKCloud