Analysis: The 4-month wait is over – the EU-US Privacy Shield has arrived – but can it deliver what it promises?
Yesterday, February 2 2016, the European Commission and the United States agreed on a new framework for transatlantic data flows. This agreement replaces the old Safe Harbour framework, which was declared invalid on October 6 2015.
The new agreement sets out stronger obligations on companies in the U.S. to protect the personal data of Europeans, as well as stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC). These US agencies will also be required to increase cooperation with European Data Protection Authorities.
EU commissioner Vera Jourová said: "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
"Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."
CBR looks into the new agreement, brining you everything you need to know about the proposed plans.
The Story So Far…
The story starts all the way back in 1998, although the beginnings of personal data protection in the EU can be charted back to 1980 when the OECD issued personal data protection recommendations.
Between 1998 and 2000 the Safe Harbour Privacy Principles were developed, designed to prevent the disclosure or loss of customer data stored by EU and US companies. US companies could opt into the ‘safe harbour scheme’ and be certified if they met the principles outlined in the directive. In July 2000, the EC ruled that US companies adhering to the EU requirements could transfer data from the EU to the US. A ruling known as the Safe Harbour Decision.
However, this all changed on 6 October 2015, when the Court of Justice declared in the Schrems case that the Commission’s Decision on the Safe Harbour arrangement was invalid. The Court of Justice ruled to invalidate Safe Harbour as ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life"
This ruling kick started 4 months of EU-US negotiations on a new data transfer framework, leading to the February 2 2016 announcement of a new agreement being signed.
In a nutshell
The new agreement basically protects the personal data of European citizens when it is transferred to US companies. Whereas before US companies were able to self-certify that they were handling data correctly, they will now have to meet specific obligations on how data is processed.
This will be monitored on both sides of the Atlantic with watchdogs and agencies coming together, in addition to a dedicated Ombudsperson.
The ruling has been welcomed by many, as the scrapping of Safe Harbour threatened the flow of data between the US and EU, which would have had a knock on impact on global trade, commerce and digital economy.
Michael Bisignano, CA Technologies General Counsel, said: "Trust in the security of personal data is a central element in the fast-growing Application Economy. So is the rapid transfer of data between countries and continents in order to deliver innovative services to consumers and for businesses to be competitive on a global scale.
"We commend the European Commission and the US Government for reaching an agreement that provides certainty to businesses and consumers on both sides of the Atlantic. We urge all stakeholders to move swiftly to finalise this agreement and safeguard other existing data transfer mechanisms such as BCRs".
What’s in a name?
One of the most obvious changes is the change in name, with Safe Harbour scrapped in favour of the Privacy Shield. However, many people have noted that the strong connotations surrounding the new Privacy Shield moniker gives a telling insight into the change in agreement.
Patrick Van Eecke, Partner at DLA Piper, said: "From "Safe Harbour" to a "Privacy Shield", what’s in a name? Well, a considerable amount in this case. It clearly shows that the attention has now moved from providing US companies a safe harbour for storing EU collected data in the US to a shield protecting European citizens from their data being misused in the US.
"It has gone from a corporate enabler to a citizen protector – a paradigm shift in the essence of data protection."
Snooping stamped out….really?
The new framework sets out a number of clear safeguards and obligations on US government access. The US has agreed to stop indiscriminate mass surveillance on personal data transferred to the US under the new arrangement.
This is a major step forward for the rights of Europeans against US snooping, especially in the post-Snowden world, as Bojana Bellamy, President of Hunton & Williams LLP’s Centre for Information Policy Leadership, said: "Europeans will also have more rights in the US, when business does not respect the obligations of the new Privacy Shield agreement.
"But, more importantly, Europeans will also have rights against surveillance practices by US government agencies in the context of national security. This was a major step for US to agree and good for them for doing so! It should put to bed the post-Snowden concerns that Europeans did not have any rights in the US against government surveillance."
However, French Caldwell, chief evangelist at MetricStream and who has previously worked with the US Whitehouse on issues relating to national and cyber security, said: "National security surveillance is something that all governments with the technical means to do so engage in. With or without Safe Harbour or its successor, those surveillance programs will continue.
"The legal definitions of personal data are so antiquated that, even if that data covered under privacy law are protected – that is addresses, driver’s license, tax identification, phone numbers, etc – there is still so much data around people’s movements and online activities that an entire behavioural profile can be built without accessing the PPI that is considered legally protected."
Who’s in charge?
Although the US has agreed to curtail mass surveillance on EU citizen data, there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
In addition to this, increased cooperation is required between the U.S. Department of Commerce and Federal Trade Commission (FTC) and European Data Protection Authorities over the increased monitoring and enforcement of EU data protection. Add into this mix the new Ombudsperson and you have a myriad of authorities on both sides of the Atlantic trying to adhere to and enforce the new Privacy Shield agreement.
This begs the questions – who’s in charge? Who is going to enforce this law and what about all the now-illegal data importers now in the US? David Juitt, Chief Security Architect at Ipswitch, said: the Privacy Shield agreement does raise significant questions and there appears to be widespread disagreement on the repercussions and the scope of enforcement.
"Technically, most US companies that are data importers are technically non-compliant today and it is unclear what the implications of this are. Further, there are individual Model Clauses, which we are not entirely sure will stand up in court. Overall, our initial thoughts are that this ‘clarification’ needs further clarification. Not a great place to be in when we’ve already waited four months to get this far."
New complaints department
If any citizen suspects that their data has been misused, there will now be ways to flag this to authorities – with Alternative Dispute resolution free of charge. Companies will have strict deadlines in which to reply to complaints, while European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. A new Ombudsperson in the US will be created to deal specifically with complaints concerning access by national intelligence authorities.
What does it mean for business?
Generally, it is good news for businesses, as the agreement has ensured that the data will keep flowing across the Atlantic. David Juitt, Chief Security Architect at Ipswitch said: "The new Privacy Shield agreed between the US and EU Commission yesterday is a key step to ensuring that organisations can maintain a free flow of data between the EU and US. Without an agreement the impact on businesses both sides of the Atlantic would have been catastrophic."
However, praise for the Privacy Shield has not been unanimous, with many calling out the legal implications of the deal. Patrick Van Eecke, Partner, DLA Piper said: "Scrutinising the new agreement closer, I am not sure it will bring the legal comfort they are looking for. As the new agreement will be reviewed on an annual basis, and as local Data Protection Authorities will still have the possibility to prohibit data transfers to the US, it does not bring much needed legal clarification companies are looking for."
The other issue is compliance, an issue which is compounded by the sheer amount of data which today’s companies are dealing with. Bojana Bellamy, President of Hunton & Williams LLP’s Centre for Information Policy Leadership, said:
"With investment into data-driven innovation, the rise of big data and the internet of things; data, and what businesses do with it is under more scrutiny than ever – from consumers, privacy advocates, governments and regulators. The importance of what we do with data has never been at a higher level, yet the knowledge of how we manage data has never been lower – this spells a troublesome future for businesses on both sides of the pond and beyond."
If companies do not comply with the new agreement and fail to keep data secure, they face prohibition of data flows and multi-million fines. Although the deal has only just been put on the table and elements could be changed, Jason Hart, CTO, Data Protection at Gemalto, advises companies to start a plan of action now.
"First and foremost, boardrooms, and not just IT departments, need to roll-out a companywide initiative in which customer data is protected as if it were their own. Data needs to be protected at all levels with end-to-end encryption, authentication and access controls. One way to make this happen could be to ensure that the keys used to encrypt data reside in the EU, then regardless of where the encrypted data goes, it’s remains safe.
"Ultimately, the ruling will need to be respected, and compliance with security protocols must be seen as a responsibility essential to the success of each business individually, and the continuation of the agreement."
The EU commission will prepare a draft ‘adequacy decision’ in the coming weeks, which will then be put forward to the Article 29 Working Party and a committee composed of representatives of the Member States. The Working Party and committee will offer advice on the draft before the agreement is adopted by the EU. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.