Paranoid Technology All things cybersecurity


Summing Up Safe Harbor’s replacement, Privacy Shield

monkeysOn February 2nd, the EU Commission and the US announced Safe Harbor's intended replacement - the "EU-US Privacy Shield" - while the EU Commission, trade associations and businesses announced support, numerous privacy advocacy groups (not to mention Data Protection Agencies, including those in France, Germany and Spain) were quick to voice concerns.

Here's what the new framework claims to put in place:

  • US companies now have "robust" obligations to protect European's personal data; the Department of Commerce will monitor these commitments, which are enforceable by US law
  • The US has given the EU written assurance that access to data for law enforcement or national security will be subject to limitations, safeguards and oversight; no more mass surveillance on EU personal data; exceptions are allowed "to the extent necessary"; this arrangement will be monitored by both countries
  • EU citizens now have redress options - meaning, companies have to reply to complaints, Data Protection Agencies can refer complaints to US agencies, and a State Department ombudsperson will be available

While all that sounds like progress, the devil is in the details, hence a few areas of concern:


No more Safe Harbor … now what?

evacuation-route-signThe recent EU ruling on Safe Harbor has US companies who do business in Europe scrambling to figure out what this means to their business, what the future holds, and where to go from here. Here’s a quick run down on what happened, how this came about, and what the implications are for your organization.

On October 6, 2015 the European Court of Justice (“ECJ”) invalidated the 15-year-old Safe Harbor program: a policy framework that allows US-based companies to freely transfer data between continents if they demonstrate compliance with an agreed-upon set of data protection principles. Austrian privacy activist Maximillian Schrems had challenged Facebook’s transfer of European users’ data to its American servers, citing the Snowden case and accusing Facebook of aiding US espionage efforts. And he won.