Cloud
2/2/2016
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

EU, US Agree On New Data Transfer Pact, But Will It Hold?

So long Safe Harbor, hello 'Privacy Shield.'

Organizations that rely on trans-Atlantic data transfer are finally breathing a sigh of relief, now that the European Union and the United States have reached a new data transfer agreement, two days after the old agreement -- Safe Harbor, which was struck down in October -- expired. Yet some experts remain skeptical that even this new pact, which better protects European citizens' privacy, will survive the scrutiny of the European Court of Justice (ECJ).

Will the court ultimately destroy the new pact, dubbed "EU-US Privacy Shield," on the same basis that it struck down Safe Harbor? From DarkReading's recent story,  "No Safe Harbor is Coming: CISA Made Sure of It":

In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."

In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.

"What's important about this," [Danny O'Brien, international director of the Electronic Frontier Foundation] says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."

Yet the officials who wrote this proposal think it will succeed. In the press conference announcing the agreement today, Vera Jourová, European Union Commissioner for Justice, Consumers, and Gender Equality, said the new agreement "lives up to the requirements of the ECJ."

Jourova stated that the agreement has established "clear safeguards" on US access to EU citizens' data, and that the US Office of the Director of National Intelligence will provide written assurance on them. "This is a unique step on the part of the US," Jourova said, "in order to restore trust in our trans-Atlantic relations."

Privacy Shield would also differ from Safe Harbor in that it would be a "living mechanism" instead of a one-time deal. The Commission and the US Department of Commerce will regularly monitor the functioning of this agreement, the Commission will provide an annual report on its status, and there will be "strong obligations on companies handling the data," said Jourova, and regular reviews by the Department of Commerce to make sure that those companies are meeting their obligations. If they aren't, they will be sanctioned or be removed from the list of entities that can transfer data.

They also established rules to give Europeans "accessible and affordable" mechanisms to issue complaints about US use of their personal data. Jourova also referenced the Judicial Redress bill that made it through committee level of the Senate Jan. 28. If passed into law, it would give European citizens the right to sue the US if law enforcement agencies misused their data.

The complete details of the agreement have not yet been released. Both countries will be formalizing their documents on the matter over the following weeks.

The big question will be, does it indeed live up to the European Court of Justice's requirements, or not?

"I think it's really hard to say until we see the actual text," says EFF's O'Brien. "I think the reason why we haven't seen a concrete agreement until now is because as soon as anyone gets down to the details, it becomes clear that it won't stand up to [Court of Justice of the European Union] scrutiny."

Response to Privacy Shield thus far has been a mix of relief and skepticism.

“While the creation of a new Safe Harbor agreement for EU-US data transfer may not please both sides entirely, it does enable US businesses to continue operations with European customers without incurring stiff penalties but also makes some important concessions for European data privacy," says Yorgen Edholm, CEO of cloud collaboration services firm Accellion. "That said, European attitudes toward data privacy have not changed and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate."

The Information Technology and Innovation Foundation applauded the agreement while criticizing the manner in which the EU axed Safe Harbor in the first place.

"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age," the ITIF stated in their release. "In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.

"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security," the ITIF further stated. "And ultimately, the European Commission should reformulate its data protection regulations to replace the 'adequacy' standard with a 'duty-of-care' provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."

The Direct Marketing Association applauded the resolution, stating “DMA has been an ardent and early supporter of the EU-U.S. Safe Harbor framework, working with some of the original architects and industry officials in the U.S. and Europe to craft the DMA dispute resolution services. DMA will work with the U.S. Department of Commerce on the new provisions of the ‘EU-U.S. Privacy Shield’ and continue our nearly 15 years of successful dispute resolution services as we move forward under this new agreement. DMA urges its members to review the requirements of the new agreement as they are released in the upcoming weeks, and DMA will provide in-depth analysis and compliance guidance for our members and our participant companies in the near future.”

 

Interop 2016 Las VegasFind out more at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.