National Academies Workshop on Data Localization and Cyber Resilience

National Academies Workshop on Data Localization and Cyber Resilience
Slide Note
Embed
Share

Examine the regulatory and legal context of data localization and cyber resilience discussed at the National Academies Workshop. Key topics include EU regulations, Schrems I and II rulings, government safeguards, and the impact on cross-border data flows. Dive into the history of data protection directives, the role of Max Schrems in privacy activism, and the court decisions shaping data transfer mechanisms. Explore the effects of EU regulations on cyber resilience and data localization implications.

  • Workshop
  • Data Localization
  • Cyber Resilience
  • EU Regulations
  • Schrems
symph
symph Follow

Uploaded on Mar 13, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. National Academies Workshop on Borders, Cyber Resilience, and the Implications of Data Localization: Setting the Regulatory & Legal Context Peter Swire Scheller College of Business, Georgia Tech December 11, 2020

  2. Overview: Strict EU regulation of cross-border data flows Schrems I and II Essential government guarantees Availability of additional safeguards Data localization Macro-effects Multiple jurisdictions data localize Back-end processing is pervasive Cyber-resilience Safe zone for hackers Reduce effectiveness of anti-fraud

  3. Overview on EU and Cross-Border July 16, 2020: Court of Justice of the European Union major decision -- Schrems II -- possibly banning many flows of personal data to the U.S. What are effects of this trend on cyber-resilience and implications for data localization?

  4. The 1998 Directive Data Protection Directive Adopted 1995 Into effect 1998 Reasons it was adopted Uniform data protection laws would enable free flow of data within EU Protect privacy Adequacy Maintain protection when data leaves EU Safe harbor signed 2000, maintain EU-level protections with data in US Focus on commerce, not surveillance Aspirational Low level of compliance in EU

  5. Max Schrems Austrian Lawyer / Privacy Rights Activist A regrettable moment in California Requested his data from Facebook at age 23 Received 1200 pages of information Filed complaint in Ireland against Facebook and its use of Safe Harbor as an adequate data transfer mechanism in June 2013 Response to Snowden revelations ECJ invalidated EU/US Safe Harbor, October 2015 Resulted in adoption of EU/US Privacy Shield, July 2016 Filed complaint in Ireland against Facebook and its use of Model Clauses as an adequate data transfer mechanism in December 2015 Trial in Ireland on U.S. surveillance practices The Irish High Court referred the question to the ECJ on April 11, 2018 Schrems II decided July 16, 2020

  6. Schrems I, October 2015 Adequacy means essential equivalence - strict Court stated, incorrectly, that NSA had unrestricted access to mass data January 26, 2016 Schrems v. Swire Debate (Brussels) Swire - worse surveillance practices in China than U.S. Swire - practical impacts of potential Model Clause invalidation Schrems - focused on U.S. & on full implementation of fundamental rights

  7. CJEU in Schrems II: Privacy Shield Invalid (July 2020) Privacy Shield Held: Privacy Shield does not provide essential equivalence Need strict protections against surveillance when personal data leaves EU Scope of holding: all non-EU countries, but specifically discussed the US Implications: quite possibly illegal to conduct most transfers of personal data to U.S. Facebook (Ireland) decision by January Other major companies

  8. CJEU: Two Holdings on Lack of U.S. Adequacy Right of redress Must have independent government actor investigate, Puzzling right of an individual in one country (Schrems) to have access to the intelligence files held by another country (U.S.). Is that how national security intelligence works? At Cross-Border Data Forum, we have proposed ways to create redress Senate Commerce testimony December 9 Lack of proportionality EU general principles processing only where necessary and proportionate Held: too much U.S. surveillance, and not proportionate FISA 702, PRISM and Upstream EO 12333, underseas cables Perhaps cut use of 702 for EU persons?

  9. Effects of this Short term US and EU attempting to negotiate Possible modest agreement before January 20 Medium term Companies conduct due diligence to say they have safeguards But European Data Protection Board on November 11 Lots of litigation in EU, with mounting awareness of the seriousness CBDF research on effects of data localization Long term Massive disruptions of business and/or EU/US agreement International discussions on new standards for government access to data Plus, Brexit/UK and what about China

  10. Outline of EU Regulatory Approach European Essential Guarantees for Surveillance Measures (Nov. 11, 2020) Summarizes constitutional requirements very difficult to change with ordinary legislation A: Processing should be based on clear, precise, and accessible rules limits on secret surveillance B: Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated C: Independent oversight mechanism D: Effective remedies need to be available to the individual Summary constitutional limits on government access to data

  11. Applying Guarantees to U.S. A: Accessible rules: Effect on EO 12333, major program for collection outside of the U.S.? B: Surveillance only where necessary and proportionate EU Presumption against surveillance, except where the state can show necessity and proportionality FISA Section 702 held disproportionate to date C: Independent oversight U.S. Privacy and Civil Liberties Oversight Board, and more D: Individual redress New proposals coming from U.S. https://www.lawfareblog.com/after-schrems-ii-proposal-meet- individual-redress-challenge

  12. Additional safeguards European Data Protection Board draft guidance, Nov. 2020 Supposed to interpret Schrems II in practice Theodore Christakis in European Law Blog super-strict Guidance rejects risk-based approach Appears to prohibit transfers to 3d country unless effectively encrypted If readable in plaintext, then appears to be illegal Comments due December 21 EU Commission says wants risk-based approach, which would allow far more data flows

  13. Summary on EU Strictness approaching ban on large-scale transfers of personal data from EU to other countries Except the few that are adequate Could see EU court decisions soon banning transfers Many companies to date have been reluctant to say how bad it is, so they don t admit the problem to regulators and their customers

  14. Data localization Many other countries besides EU Hard data localization China data cannot leave Soft data localization Russia, at least initially keep a copy there, government can access it India now, for financial information/banking Indonesia, Malaysia, maybe many more soon either soft or hard Reciprocal approaches you can receive the data if we get access to it Could get blocs developing, with agreed-upon rules OECD discussions on guidelines for government access to data

  15. Macro effects of data localization Doug Irwin today We saw one previous massive example of interruption in globalization protectionism after 1929 Didn t work out well, political isolation, rise of dictators, and World War II That may seem extreme, but what effects of large cut-off of global flows of data?

  16. Sector-by-sector study needed of data localization 1998 list Issues affecting many sectors HR, accounting, consulting, call center/customer support Financial services Can financial regulators oversee a system if they can t see the transactions? Other key sectors Cloud, pharma research, travel, online commerce, and more

  17. One lesson on data localization 3 is much worse than 2 If one jurisdiction has strict localization (EU), then that becomes a magnet for all data Keep it housed there, and only allow flows out of EU with special permissions Could work as a protectionist measure, and to protect privacy of EU persons What if India adds strict localization? Can t house it only in EU or in India Open conflict results where continue cross-border flows of data

  18. 2d lesson: Back-End Processing Initially, people often think data localization is actually easy Move data center to EU, and run things from there Individual in Europe can make one-at-a-time transfers to U.S., such as vacation to Disney World in Florida Lesson: a simple transfer is not simple Numerous back-end systems to get the tourist from EU to Florida Car rental, seat on airplane, loyalty programs, anti-fraud cross-checking of numerous databases

  19. Summary on data localization Consider macro effects, beyond the cut-offs of data themselves Works especially badly if multiple jurisdictions use data localization Back-end processing makes many apparently simple solutions unworkable

  20. Initial thoughts on cyber-resilience and cyber-security These are indeed initial thoughts, and a reason to have our workshop today I have two initial thoughts Safe zone for hackers Making anti-fraud far more difficult generally

  21. Safe zone for hackers Current cybersecurity solutions, in my understanding, often do data gathering and information sharing about sources of attacks E.g., IP address known to be risky Legal fact: IP addresses are considered personal data in EU and thus subject to the strict privacy rules What effects on cybersecurity if illegal to transfer IP addresses and other data linkable to individuals? I welcome Eric Grosse and others to consider this in more detail My supposition is that it makes EU a great target for hackers to use to launch attacks on rest of the world EU itself may be cut off from receiving data from rest of the world about the attacks that hit the EU

  22. Weakens anti-fraud If cut many data flows, then I believe that would reduce the effectiveness of many anti-fraud programs Anti-fraud today often based on expert systems, which would become less expert Anti-fraud defenses today often layered, with some of the layers drawing on diverse sources of data to assess risk of fraud

  23. Other effects on cybersecurity? If large cut-offs of data: What other effects on cybersecurity? Who would be affected? Are there mitigations so the effects wouldn t be so bad? How best to explain these new risks to non-technical policy audiences?

  24. Conclusion Complex regulatory issues now from EU in particular Substantial risk of very large cut-off of data (localization) from EU to third countries, including the US Illustrates effects of data localization Macro effects Multiple jurisdictions make localization worse Back-end processing gets broken Effects on cybersecurity Safe zone for hackers Reduce effectiveness of anti-fraud I hope that provides context for workshop today

Related


Types Cyber Attacks: Cyber Security Training Workshop

Types Cyber Attacks: Cyber Security Training Workshop

anara
Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response

Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response

annabelle
Cyber Data Breach Review_ A Comprehensive Insight with LDM Global in the USA

Cyber Data Breach Review_ A Comprehensive Insight with LDM Global in the USA

LdM
Stress and Resilience in Older Adults

Stress and Resilience in Older Adults

sean
Cyber Crimes and Remedies in Gangtok by Himanshu Dhawan

Cyber Crimes and Remedies in Gangtok by Himanshu Dhawan

fern
Building Resilience: A Guide for Families

Building Resilience: A Guide for Families

birdie
Disaster Resilience Strategy in Developing Countries Vulnerable to Natural Disasters

Disaster Resilience Strategy in Developing Countries Vulnerable to Natural Disasters

othello
Guide to Cyber Essentials Plus and IASME Gold Certification

Guide to Cyber Essentials Plus and IASME Gold Certification

eros
Managing Covid-19 Cyber and Data Protection Risks

Managing Covid-19 Cyber and Data Protection Risks

kaisen
Cyber Security and Risks

Cyber Security and Risks

kathryn
Overview of Cyber Operations and Security Threats

Overview of Cyber Operations and Security Threats

joan
Cyber Threat Assessment and DBT Methodologies

Cyber Threat Assessment and DBT Methodologies

jgra
Microsoft Indoor Localization Competition 2018 Overview

Microsoft Indoor Localization Competition 2018 Overview

cser
Fault Localization (Pinpoint) Project Proposal Overview

Fault Localization (Pinpoint) Project Proposal Overview

jale705
Cyber Insurance SIG Achievements and Plans

Cyber Insurance SIG Achievements and Plans

shol
Cyber Survivability Test & Evaluation Overview

Cyber Survivability Test & Evaluation Overview

gwe_pyb
Cyber Insurance - Emerging Risks and Threats in Today's Digital Landscape

Cyber Insurance - Emerging Risks and Threats in Today's Digital Landscape

paolucci_k
Fault Localization Techniques in Software Debugging

Fault Localization Techniques in Software Debugging

kcape
Cyber Insurance Risk Transfer Alternatives

Cyber Insurance Risk Transfer Alternatives

bra_lig
Navigating Current and Emerging Cyber Threats: Leadership Insights

Navigating Current and Emerging Cyber Threats: Leadership Insights

derossett_j
Comparison of Traditional and Cyber Threat Assessment Methodologies

Comparison of Traditional and Cyber Threat Assessment Methodologies

pun_ffy
Crowdsourcing-Based Indoor Localization Accuracy

Crowdsourcing-Based Indoor Localization Accuracy

jim_wh

More Related Content