EU Privacy Officials Push Back On Privacy ShieldBetter than Safe Harbor, but not good enough. Should we care what they think?
European Union data protection authorities today called the proposed trans-Atlantic data transfer agreement, EU-US Privacy Shield, "a great step forward," but nevertheless called for significant changes to it.
The European Commission (EU) proper released details of the Privacy Shield agreement in February. The EU's body of data protection authorities, dubbed the Article 29 Working Party (Art. 29 WP), has advised the Commission that its proposed agreement left too many questions about the independent ombudsman being appointed to arbitrate conflicts between EU and US parties and left the US government too many opportunities to conduct bulk collection of EU citizens' data.
Here's what you need to know:
What is EU-US Privacy Shield and why do I care?
Privacy Shield is a proposed data transfer agreement between the US and the European Commission that would allow American organizations to store European citizens' personal data in the US if the organizations agree to comply with certain EU standards for maintaining EU citizens' data privacy. Privacy Shield is a proposed replacement for Safe Harbor, the data transfer agreement that existed for 15 years before being struck down by the Court of Justice of the European Union in October.
For a more complete answer, Read this.
What is the Article 29 Working Party and why do we care what they think?
The Article 29 Working Party consists of data protection authorities from EU member states, the European Data Protection Supervisor, and a representative from the European Commission.
The opinion of the Article 29 Working Party is non-binding -- meaning that the Commission can move Privacy Shield ahead with or without their approval. The reason the Party's opinion matters is because the people in it are the data protection authorities who have the power to investigate and in some cases enforce privacy regulations across the EU. They can issue fines and sanctions to organizations they believe have violated privacy law in their individual nations.
So, if the Article 29 Working Party does not completely endorse Privacy Shield, organizations who follow Privacy Shield strictures to a tee may still fall afoul of some European data protection authorities' rules on data transfer.
Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!
What are the Article 29 Working Party's complaints about Privacy Shield?
One key concern of the group is a lack of clarity about the new "ombudsman." This role is supposed to be independent of the US intelligence community and will handle complaints about the American government's misuse of EU citizen data or mass surveillance.
"We don't have enough security guarantees in the status of the ombudsperson and in the effective powers of this ombudsperson in order to be sure that this is really an independent authority," Isabelle Falque-Pierrotin, chair of the Art. 29 WP said, per Reuters.
Under the current draft proposal of Privacy Shield this ombudsperson will reside within the US State Department -- raising questions about whether or not this individual could truly be an independent arbiter of issues between EU citizens and the US government if the individual is an employee of the US government.
The Art. 29 WP also stated that the current proposal allows the US too many opportunities for bulk data collection. Although the proposal says there will not be mass surveillance of EU citizens, there are several scenarios for which it states that bulk collection of signals data, for example, might be required or unavoidable.
Finally, the working party said Privacy Shield would need to be revisited in two years when the EU General Data Protection Regulation goes into effect. The GDPR is a replacement for the EU's current data security policy, and it has a much broader definition of "personal data," much more rigorous requirements for protecting the privacy and security of that data, and much stiffer penalties for violating those regulations -- as much as 4 percent of an organization's annual global revenue.
Can I still transfer data with BCRs and model clauses?
So far, so good.
When Safe Harbor officially expired in January, organizations had to fall back on other, clunkier measures of data transfer -- binding corporate rules and model clauses. The Art. 29 WP was expected to also discuss whether or not these means of data transfer were acceptable. There was the lingering possibility that they might state those methods should also be invalidated, which would leave organizations with no legal means to transfer data.
Falque-Pierottin said the Art. 29 WP has not changed its stance on those methods yet, but that the opinion could change, depending upon what the Commission's final version of Privacy Shield looks like.
What happens next?
The next step is that the Commission will get the approval of the Article 31 Working Party -- a group of representatives from each EU member state who do not directly represent data protection authorities from those states.
Then, the College of the European Commission will finalize and adopt Privacy Shield. They're aiming to put the measure into effect by June.
The story's not necessarily over at that point, though. The Court of Justice of the European Union (CJEU) could still investigate and strike down Privacy Shield on the same basis they struck down Safe Harbor -- which was, in essence, that American organizations cannot protect EU citizen data effectively because the American government's surveillance practices are so invasive that any data residing in the US is subject to the government's prying eyes. If CJEU struck down Privacy Shield, everyone would be back to square one.
Documents leaked earlier this week from German authorities instructed the German members of the Art. 29 WP to try and make such a thing come about. The documents mandated that "the Article 29 Working Party shall support test cases and legal actions against the adequacy decision in order to find its way to the European Court of Justice," per Ars Technica.
What are people in the security industry saying?
The industry voiced general disappointment and mostly urged the Commission to ignore the Working Party. Others recognized, though, that this was unlikely to be possible.
“Both the US government and the European Commission worked very hard to negotiate Privacy Shield in good faith to create an acceptable mechanism to replace Safe Harbor," says Dana Simberkoff, chief compliance and risk officer at AvePoint. "I am concerned that with this latest setback, we are now allowing perfect to become the enemy of good – and it will be at the sacrifice of progress in the name of global data protection and privacy.”
"The opinion of the Article 29 Working Party is not binding for the [European Commission]," said Luca Schiavoni, Senior Analyst, Regulation, Ovum; however, it is unlikely that the EC will be able to ignore it."
The Information Technology and Innovation Foundation cautioned against further delay. "A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers. Moreover, there will be many opportunities to build on the initial the Privacy Shield Framework, as all parties involved have already agreed to meet at least annually to how to further improve the functioning, implementation, supervision, and enforcement of the framework."
Anything else for us to worry about?
Tuesday, the Court of Justice of the European Union heard arguments about the validity of the United Kingdom's Data Retention and Investigatory Powers Act (DRIPA), which requires telecommunications providers to collect and store customer communications data and disclose it to law enforcement under certain provisions. DRIPA is supposed to expire at the end of this year anyway, and be replaced by the proposed Draft Investigatory Powers Bill, commonly known as the Snoopers' Charter, which has been sharply criticized for giving British intelligence agencies too many sweeping privileges.
Although the CJEU has expedited its process for this case, it still may be weeks or months before a ruling is made. Although it is tangential to Privacy Shield, the case still may further frame CJEU's stance on data collection and surveillance; Falque-Pierottin of the Article 29 Working Party said they will be watching the ruling with "great interest."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio