In September a European Union privacy regulator sent Facebook a preliminary order to suspend data transfers to the U.S. about its EU users. The issue was first reported by the Wall Street
Journal (subscription required) and summarized elsewhere. As the WSJ noted, this could not only set an operational and legal challenge for Facebook but will likely set a precedent for other tech giants and, I would posit, companies in every industry.
What is at stake is not just legal and operational challenges, but the very essential ability for companies operating across borders to share data freely and securely, monetize that data, develop new business models, and consequently lower their global data infrastructure costs. Although at the crux of this data transfer issue is data privacy and protection, the little- discussed factor is the inability of today’s data encryption and protection technologies to ensure data privacy.
How Did We Get Here and What Is at Stake?
The recent EU ruling by Irish authorities is based on a concern that data about European citizens should not leave their home countries because the privacy laws the EU has to protect citizens cannot be enforced in more lax environments, such as those in the United States. The Europeans worry that once data is transferred to the U.S., governmental security agencies could demand the corporations holding it to hand it over, claiming it is needed to head off terrorist attacks, for example. Previous agreements between Europe and the United States have been nullified but growing concerns about American governmental surveillance of citizens, both
domestic and international, is now tightening the belt around cross-border data and privacy protection.
Consider the impact of such tightened regulations. Per that same WSJ article, to comply with Ireland’s preliminary order, Facebook would “likely have to re-engineer its service to silo off most data it collects from European users, or stop serving them entirely, at least temporarily. If it fails to comply with an order, Ireland’s data commission has the power to fine Facebook up to 4% of its annual revenue, or $2.8 billion.”
You may think this privacy issue is isolated to the big players like Facebook or Amazon, but the reality is this regulation is going to affect other data-intensive companies. This includes cloud providers, SaaS companies, data exchanges, businesses that reply on data- sharing with third parties such as pharma and clinical research organizations (the very ones we are counting on to develop the next COVID vaccine), financial services, retail, and many more. As the data-sharing economy has become the lifeblood of today’s business (the European Commission and Everis
estimated that the value of the European data market amounted to EUR 60 billion in 2016
alone), nearly all companies face the same issues as Facebook., All organizations involved in such data movements may struggle to demonstrate to authorities that they can maintain strict privacy at all times, even as their data infrastructure costs continue to escalate. (Synergy Research Group reported worldwide spending on data center hardware and software reached
$152 billion in 2019 alone, with no signs of slowing down any time soon.)
The Cross-Border Data Encryption Conundrum
While Facebook and the EU are at loggerheads, there are technical challenges with current data encryption approaches that are making this cross-border privacy issue tough to crack. The truth is there is no standard for encrypting personally identifiable data or competitive data in company systems within or outside country borders. This has prompted a whole data protection cottage industry, all promising to provide the critical data protection required for such international exchanges. Some of these solutions, such as data encryption at rest, are much needed but unfortunately not enough.
In addition, the encryption processes themselves are often so cumbersome, costly and
time-consuming — requiring installations at the site where data is stored and separate programs to encrypt databases from different providers — that they remain out of reach and down right impractical for most. The complex nature and the sheer volume of data encryption solutions increase the possibility that sensitive data of any sort may end up in the wrong hands. And it does, as global data center Equinix experienced last month.
The fact is, none of the existing data-encryption approaches ensure that no sensitive data is ever exposed or that sensitive data is protected while traveling between borders. Current encryption systems protect data at rest and in transit, but most do not protect it in use. The
process of moving data from Europe to the United States has required a set of encryption and decryption measures to keep the data secure in transit, then encrypted in databases in the United States. The keys to unlock the encrypted data have remained with the U.S. companies housing the data, but it is easy enough for U.S. security agencies to demand that the companies decrypt the stored data and share it with them.
Cross-Border Data Encryption Throughout the Data Lifecycle
Standards aside, the little-known secret in the data industry (which I have been part of for many years) is the lack of practical data encryption that protects sensitive data throughout its lifecycle without crippling the ability to use and derive value from it. This is exactly the challenge my team set up to solve: we have developed a practical data protection approach that never reveals PII information, while making data usable for analytics, augmentation, and a whole lot more. Learn about our approach here.
Purandar Das is the founder and chief executive officer of Sotero.