EU, US Agree On New Data Transfer Pact, But Will It Hold?So long Safe Harbor, hello 'Privacy Shield.'
Organizations that rely on trans-Atlantic data transfer are finally breathing a sigh of relief, now that the European Union and the United States have reached a new data transfer agreement, two days after the old agreement -- Safe Harbor, which was struck down in October -- expired. Yet some experts remain skeptical that even this new pact, which better protects European citizens' privacy, will survive the scrutiny of the European Court of Justice (ECJ).
Will the court ultimately destroy the new pact, dubbed "EU-US Privacy Shield," on the same basis that it struck down Safe Harbor? From DarkReading's recent story, "No Safe Harbor is Coming: CISA Made Sure of It":
In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."
In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.
"What's important about this," [Danny O'Brien, international director of the Electronic Frontier Foundation] says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."
Yet the officials who wrote this proposal think it will succeed. In the press conference announcing the agreement today, Vera Jourová, European Union Commissioner for Justice, Consumers, and Gender Equality, said the new agreement "lives up to the requirements of the ECJ."
Jourova stated that the agreement has established "clear safeguards" on US access to EU citizens' data, and that the US Office of the Director of National Intelligence will provide written assurance on them. "This is a unique step on the part of the US," Jourova said, "in order to restore trust in our trans-Atlantic relations."
Privacy Shield would also differ from Safe Harbor in that it would be a "living mechanism" instead of a one-time deal. The Commission and the US Department of Commerce will regularly monitor the functioning of this agreement, the Commission will provide an annual report on its status, and there will be "strong obligations on companies handling the data," said Jourova, and regular reviews by the Department of Commerce to make sure that those companies are meeting their obligations. If they aren't, they will be sanctioned or be removed from the list of entities that can transfer data.
They also established rules to give Europeans "accessible and affordable" mechanisms to issue complaints about US use of their personal data. Jourova also referenced the Judicial Redress bill that made it through committee level of the Senate Jan. 28. If passed into law, it would give European citizens the right to sue the US if law enforcement agencies misused their data.
The complete details of the agreement have not yet been released. Both countries will be formalizing their documents on the matter over the following weeks.
The big question will be, does it indeed live up to the European Court of Justice's requirements, or not?
"I think it's really hard to say until we see the actual text," says EFF's O'Brien. "I think the reason why we haven't seen a concrete agreement until now is because as soon as anyone gets down to the details, it becomes clear that it won't stand up to [Court of Justice of the European Union] scrutiny."
Response to Privacy Shield thus far has been a mix of relief and skepticism.
“While the creation of a new Safe Harbor agreement for EU-US data transfer may not please both sides entirely, it does enable US businesses to continue operations with European customers without incurring stiff penalties but also makes some important concessions for European data privacy," says Yorgen Edholm, CEO of cloud collaboration services firm Accellion. "That said, European attitudes toward data privacy have not changed and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate."
The Information Technology and Innovation Foundation applauded the agreement while criticizing the manner in which the EU axed Safe Harbor in the first place.
"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age," the ITIF stated in their release. "In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.
"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security," the ITIF further stated. "And ultimately, the European Commission should reformulate its data protection regulations to replace the 'adequacy' standard with a 'duty-of-care' provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."
The Direct Marketing Association applauded the resolution, stating “DMA has been an ardent and early supporter of the EU-U.S. Safe Harbor framework, working with some of the original architects and industry officials in the U.S. and Europe to craft the DMA dispute resolution services. DMA will work with the U.S. Department of Commerce on the new provisions of the ‘EU-U.S. Privacy Shield’ and continue our nearly 15 years of successful dispute resolution services as we move forward under this new agreement. DMA urges its members to review the requirements of the new agreement as they are released in the upcoming weeks, and DMA will provide in-depth analysis and compliance guidance for our members and our participant companies in the near future.”
Find out more at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio