Paranoid Technology All things cybersecurity


Summing Up Safe Harbor’s replacement, Privacy Shield

monkeysOn February 2nd, the EU Commission and the US announced Safe Harbor's intended replacement - the "EU-US Privacy Shield" - while the EU Commission, trade associations and businesses announced support, numerous privacy advocacy groups (not to mention Data Protection Agencies, including those in France, Germany and Spain) were quick to voice concerns.

Here's what the new framework claims to put in place:

  • US companies now have "robust" obligations to protect European's personal data; the Department of Commerce will monitor these commitments, which are enforceable by US law
  • The US has given the EU written assurance that access to data for law enforcement or national security will be subject to limitations, safeguards and oversight; no more mass surveillance on EU personal data; exceptions are allowed "to the extent necessary"; this arrangement will be monitored by both countries
  • EU citizens now have redress options - meaning, companies have to reply to complaints, Data Protection Agencies can refer complaints to US agencies, and a State Department ombudsperson will be available

While all that sounds like progress, the devil is in the details, hence a few areas of concern:

  • How do these safeguards work? how much access do American intelligence agencies have to EU citizens' data?
  • How will the legal landscape among EU countries practically differ, with some countries choosing to pursue redress and others not?
  • There's no mention of reforming US programs, such as the Foreign Intelligence Surveillance Act (Section 702), which allows the NSA to sweep up overseas digital communications with limited privacy protection; so what's actually changed?
  • How will redress be addressed? it's all well and good to take complaints, but what will be done about them?

All of which leads to uncertainty around whether the EU-US Privacy Shield will pass muster with the 28 member countries' privacy regulators ... the EU Commission has promised that the Privacy Shield text will be available the second half of February, and then needs to be passed by decision.  The EC will be relying on the opinion of the national data protection authorities of Working Party 29 (WP29), which will issue an opinion by end of March.  Approval by WP29 is a leading indicator of whether Privacy Shield will stand up in the European Court of Justice (CJEU), which is the ultimate authority in this case.  And if it doesn't, it's back to the negotiating table.

This uncertainty, and lack of legal clarity / enforceability, creates risk for businesses (and citizens) engaging in transatlantic data transfers. For companies that care about revenue over privacy, the easy path is to accept Privacy Shield (or assume a similar substitute) and proceed business as usual. For those that want to continue to protect EU citizens privacy, legacy protections do exist.

Organizations can still employ legal protection through Binding Corporate Rules (BCRs) or Model Contract Clauses (MCCs). MCCs have the advantage of being easier to execute, as they’re smaller in scope and embedded in contracts; BCRs, while offering broader protection, take many attorneys many hours to implement, and still only cover the adopting firm. Both impose an extra legal tax on doing business in the EU (but are definitely more protective than leaving things to an uncertain future).

For the background on Safe Harbor, and more detail on things to think about in this murky EU privacy space, see the Derivative Technology white paper, No More Safe Harbor.

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.