Paranoid Technology All things cybersecurity


Summing Up Safe Harbor’s replacement, Privacy Shield

monkeysOn February 2nd, the EU Commission and the US announced Safe Harbor's intended replacement - the "EU-US Privacy Shield" - while the EU Commission, trade associations and businesses announced support, numerous privacy advocacy groups (not to mention Data Protection Agencies, including those in France, Germany and Spain) were quick to voice concerns.

Here's what the new framework claims to put in place:

  • US companies now have "robust" obligations to protect European's personal data; the Department of Commerce will monitor these commitments, which are enforceable by US law
  • The US has given the EU written assurance that access to data for law enforcement or national security will be subject to limitations, safeguards and oversight; no more mass surveillance on EU personal data; exceptions are allowed "to the extent necessary"; this arrangement will be monitored by both countries
  • EU citizens now have redress options - meaning, companies have to reply to complaints, Data Protection Agencies can refer complaints to US agencies, and a State Department ombudsperson will be available

While all that sounds like progress, the devil is in the details, hence a few areas of concern: