Cloud
2/2/2016
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

EU, US Agree On New Data Transfer Pact, But Will It Hold?

So long Safe Harbor, hello 'Privacy Shield.'

Organizations that rely on trans-Atlantic data transfer are finally breathing a sigh of relief, now that the European Union and the United States have reached a new data transfer agreement, two days after the old agreement -- Safe Harbor, which was struck down in October -- expired. Yet some experts remain skeptical that even this new pact, which better protects European citizens' privacy, will survive the scrutiny of the European Court of Justice (ECJ).

Will the court ultimately destroy the new pact, dubbed "EU-US Privacy Shield," on the same basis that it struck down Safe Harbor? From DarkReading's recent story,  "No Safe Harbor is Coming: CISA Made Sure of It":

In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."

In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.

"What's important about this," [Danny O'Brien, international director of the Electronic Frontier Foundation] says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."

Yet the officials who wrote this proposal think it will succeed. In the press conference announcing the agreement today, Vera Jourová, European Union Commissioner for Justice, Consumers, and Gender Equality, said the new agreement "lives up to the requirements of the ECJ."

Jourova stated that the agreement has established "clear safeguards" on US access to EU citizens' data, and that the US Office of the Director of National Intelligence will provide written assurance on them. "This is a unique step on the part of the US," Jourova said, "in order to restore trust in our trans-Atlantic relations."

Privacy Shield would also differ from Safe Harbor in that it would be a "living mechanism" instead of a one-time deal. The Commission and the US Department of Commerce will regularly monitor the functioning of this agreement, the Commission will provide an annual report on its status, and there will be "strong obligations on companies handling the data," said Jourova, and regular reviews by the Department of Commerce to make sure that those companies are meeting their obligations. If they aren't, they will be sanctioned or be removed from the list of entities that can transfer data.

They also established rules to give Europeans "accessible and affordable" mechanisms to issue complaints about US use of their personal data. Jourova also referenced the Judicial Redress bill that made it through committee level of the Senate Jan. 28. If passed into law, it would give European citizens the right to sue the US if law enforcement agencies misused their data.

The complete details of the agreement have not yet been released. Both countries will be formalizing their documents on the matter over the following weeks.

The big question will be, does it indeed live up to the European Court of Justice's requirements, or not?

"I think it's really hard to say until we see the actual text," says EFF's O'Brien. "I think the reason why we haven't seen a concrete agreement until now is because as soon as anyone gets down to the details, it becomes clear that it won't stand up to [Court of Justice of the European Union] scrutiny."

Response to Privacy Shield thus far has been a mix of relief and skepticism.

“While the creation of a new Safe Harbor agreement for EU-US data transfer may not please both sides entirely, it does enable US businesses to continue operations with European customers without incurring stiff penalties but also makes some important concessions for European data privacy," says Yorgen Edholm, CEO of cloud collaboration services firm Accellion. "That said, European attitudes toward data privacy have not changed and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate."

The Information Technology and Innovation Foundation applauded the agreement while criticizing the manner in which the EU axed Safe Harbor in the first place.

"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age," the ITIF stated in their release. "In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.

"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security," the ITIF further stated. "And ultimately, the European Commission should reformulate its data protection regulations to replace the 'adequacy' standard with a 'duty-of-care' provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."

The Direct Marketing Association applauded the resolution, stating “DMA has been an ardent and early supporter of the EU-U.S. Safe Harbor framework, working with some of the original architects and industry officials in the U.S. and Europe to craft the DMA dispute resolution services. DMA will work with the U.S. Department of Commerce on the new provisions of the ‘EU-U.S. Privacy Shield’ and continue our nearly 15 years of successful dispute resolution services as we move forward under this new agreement. DMA urges its members to review the requirements of the new agreement as they are released in the upcoming weeks, and DMA will provide in-depth analysis and compliance guidance for our members and our participant companies in the near future.”

 

Interop 2016 Las VegasFind out more at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.