Cloud

2/2/2016
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

EU, US Agree On New Data Transfer Pact, But Will It Hold?

So long Safe Harbor, hello 'Privacy Shield.'

Organizations that rely on trans-Atlantic data transfer are finally breathing a sigh of relief, now that the European Union and the United States have reached a new data transfer agreement, two days after the old agreement -- Safe Harbor, which was struck down in October -- expired. Yet some experts remain skeptical that even this new pact, which better protects European citizens' privacy, will survive the scrutiny of the European Court of Justice (ECJ).

Will the court ultimately destroy the new pact, dubbed "EU-US Privacy Shield," on the same basis that it struck down Safe Harbor? From DarkReading's recent story,  "No Safe Harbor is Coming: CISA Made Sure of It":

In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."

In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.

"What's important about this," [Danny O'Brien, international director of the Electronic Frontier Foundation] says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."

Yet the officials who wrote this proposal think it will succeed. In the press conference announcing the agreement today, Vera Jourová, European Union Commissioner for Justice, Consumers, and Gender Equality, said the new agreement "lives up to the requirements of the ECJ."

Jourova stated that the agreement has established "clear safeguards" on US access to EU citizens' data, and that the US Office of the Director of National Intelligence will provide written assurance on them. "This is a unique step on the part of the US," Jourova said, "in order to restore trust in our trans-Atlantic relations."

Privacy Shield would also differ from Safe Harbor in that it would be a "living mechanism" instead of a one-time deal. The Commission and the US Department of Commerce will regularly monitor the functioning of this agreement, the Commission will provide an annual report on its status, and there will be "strong obligations on companies handling the data," said Jourova, and regular reviews by the Department of Commerce to make sure that those companies are meeting their obligations. If they aren't, they will be sanctioned or be removed from the list of entities that can transfer data.

They also established rules to give Europeans "accessible and affordable" mechanisms to issue complaints about US use of their personal data. Jourova also referenced the Judicial Redress bill that made it through committee level of the Senate Jan. 28. If passed into law, it would give European citizens the right to sue the US if law enforcement agencies misused their data.

The complete details of the agreement have not yet been released. Both countries will be formalizing their documents on the matter over the following weeks.

The big question will be, does it indeed live up to the European Court of Justice's requirements, or not?

"I think it's really hard to say until we see the actual text," says EFF's O'Brien. "I think the reason why we haven't seen a concrete agreement until now is because as soon as anyone gets down to the details, it becomes clear that it won't stand up to [Court of Justice of the European Union] scrutiny."

Response to Privacy Shield thus far has been a mix of relief and skepticism.

“While the creation of a new Safe Harbor agreement for EU-US data transfer may not please both sides entirely, it does enable US businesses to continue operations with European customers without incurring stiff penalties but also makes some important concessions for European data privacy," says Yorgen Edholm, CEO of cloud collaboration services firm Accellion. "That said, European attitudes toward data privacy have not changed and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate."

The Information Technology and Innovation Foundation applauded the agreement while criticizing the manner in which the EU axed Safe Harbor in the first place.

"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age," the ITIF stated in their release. "In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.

"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security," the ITIF further stated. "And ultimately, the European Commission should reformulate its data protection regulations to replace the 'adequacy' standard with a 'duty-of-care' provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."

The Direct Marketing Association applauded the resolution, stating “DMA has been an ardent and early supporter of the EU-U.S. Safe Harbor framework, working with some of the original architects and industry officials in the U.S. and Europe to craft the DMA dispute resolution services. DMA will work with the U.S. Department of Commerce on the new provisions of the ‘EU-U.S. Privacy Shield’ and continue our nearly 15 years of successful dispute resolution services as we move forward under this new agreement. DMA urges its members to review the requirements of the new agreement as they are released in the upcoming weeks, and DMA will provide in-depth analysis and compliance guidance for our members and our participant companies in the near future.”

 

Interop 2016 Las VegasFind out more at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.