Reactions to the EU-US Privacy Shield

The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.

Here are some of the comments Help Net Security received.

Eduard Goodman, Chief Privacy Officer of IDT911

Eduard Goodman, Chief Privacy Officer of IDT911

The new framework for the transfer of personal data between the European Union and the United States is really the evolution of over 15 years of established privacy regimes between the U.S. and the E.U. The result of the negotiations are really meant to reestablish trust in the U.S. and E.U. transatlantic relationship. The newly announced framework will be wholly replacing the now ‘dead’ E.U./U.S. Safe Harbor program. In fact the new framework established by the U.S. and E.U. will even go by a completely new moniker: E.U./U.S. Privacy Shield.

E.U./U.S. Privacy Shield is said to both protects the fundamental right of privacy of European citizens while at the same time providing legal certainty for the thousands of U.S. based businesses that serve them.

The new E.U./U.S. Privacy Shield program will also be a ‘living’ program. Once established, it will be reviewed by both the European Commission and the U.S. Department of Commerce regularly with the European Commission reporting on the functioning of the agreement on an annual basis. This is, in the words of the Europeans, in order to measure and ensure U.S. accountability to the agreement.

This is also a big step for the U.S. as it has given the E.U. assurances that the excesses of law enforcement and government surveillance will be subject to redress. National security access to E.U. data in the U.S. will have a redress mechanism available to impacted E.U. citizens, with more details to follow.

For specific complaints about a U.S. company, the redress will be fairly similar to the old Safe Harbor framework. The complaint is first to be attempted to be resolved by the company with the complainant. The FTC will work with E.U. Data Protection Authorities (DPAs) to ensure the resolution of any complaints in a timely manner. If not resolved then there is an arbitration mechanism.

In addition, the most interesting aspect is the announcement that the redress mechanism will be administered in the U.S. by some form of Ombudsman, much like Privacy Authorities at the Federal and Provincial levels to our neighbor to the North, Canada. This may be one of the more interesting aspects of the agreement as it seems to mean that the U.S. could FINALLY, actually create come form of ‘Privacy Czar’ (a.k.a. office of Data Protection or Privacy.)

The agreement though is just that, simply an agreement. A Draft of the agreement will be published by the Europeans in a few weeks, with the U.S. side also having several weeks to begin next steps.

So in the end, what does it all mean? It means that we finally have a general agreement that will allow the continued exchange of data between the E.U. and the U.S. BUT it also means that the devil in the details and final overview of what the program will entail will have us ALL waiting with baited breath.

David Mount, director, security solutions consulting EMEA, Micro Focus

David Mount, Director, Security Solutions Consulting EMEA, Micro Focus

After months of negotiations, today marks the beginning of a new era in data protection. It’s clear that creating this EU-US Privacy Shield has been an incredibly tough process for all parties involved and the process has raised some interesting questions about the very notion of trust itself.

If we trust companies with our personal data and they share that outside the EU as the result of a specific agreement, we make the assumption that they can be trusted. But this is where problems with previous iterations of Safe Harbour have arisen, specifically relating to the self-certification aspects of the agreement.

Historically, companies have proved their compliance with the agreement by ticking a box stating that the company adheres to the principles of Safe Harbour and has adequate controls in place. There are some fundamental issues with this, since self-certification does not foster trust and transparency – in fact, it does the opposite.

It’s important to create more transparency around what data is being stored, what can be shared and what the purpose of this is, but levels of trust are always going to be low in a self-regulated environment. It will be interesting to see how negotiations have addressed the arguably conflicting ideas of trust and self-certification, and whether there is any other way to effectively police data sharing when there is so much data and so many parties involved.

Deema Freij, global privacy officer, Intralinks

Deema Freij, global privacy officer, Intralinks

Today’s announcement of the EU-US Privacy Shield finally marks the arrival of “Safe Harbour 2.0”. Despite some scepticism from human rights and privacy organisations, this will make transfers to the US legal under European law.

The demise of Safe Harbour 1.0 told companies it’s good to have back-up plans and options should one legal route be shut off. The release of Safe Harbour 2.0 is very much another option for companies should they want to take it. So do businesses need to do anything now?

At the moment, businesses have switched – or are switching – to other legal solutions so they are able to transfer personal data to the US – in a bid to avoid any issues with the decision invalidating Safe Harbour 1.0 by the Court of Justice of the European Union (CJEU). Those legal solutions include EU-prescribed Model Clauses.

Now, if organisations choose to stay on these model clauses, nothing will change, and they can still use them to support data transfers globally. Model clauses work for all data transfers – not exclusively for transfer of personal data to the U.S. – but they are admin-heavy. Alternatively, they can use Safe Harbour 2.0 as a means of transferring personal data from the European Economic Area (EEA) to the U.S. – and it won’t be as much of an administrative burden. Model clauses will still be needed for any other data transfers outside of the EEA, however.

Data sharing can’t be taken for granted any more. Companies and their cloud providers are more responsible than ever for data sovereignty, and this responsibility is only going to increase when the GDPR is adopted, leaving organisations with a two-year time limit to comply. The penalties for wrongdoing are well-publicised and severe for companies which fail to adapt to the new data privacy landscape.

French Caldwell, Chief Evangelist at MetricStream

French Caldwell, Chief Evangelist at MetricStream

National security surveillance is something that all governments with the technical means to do so engage in. With or without Safe Harbor or its successor, those surveillance programs will continue.

The legal definitions of personal data are so antiquated that, even if that data covered under privacy law are protected – that is addresses, driver’s license, tax identification, phone numbers, etc – there is still so much data around people’s movements and online activities that an entire behavioral profile can be built without accessing the PPI that is considered legally protected.

Privacy protections in the US have evolved significantly over the years and, in fact, US laws on data breach protection have begun to be replicated in the EU. Also, US authorities, in particular the FTC, are aggressive in penalising companies for not following privacy policies – much more aggressive than EU national privacy authorities.

“PPI is essential for e-commerce. However, despite evidence that US enforcement of privacy law is very aggressive, not allowing it to cross the Atlantic has no real impact on national security surveillance programs, and there are significant new protections for EU citizens in the new agreement, there will be further legal challenges. It is hard to discount emerging populist movements of nationalism and trade protectionism, as underlying motivations.