Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/2/2016
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

EU, US Agree On New Data Transfer Pact, But Will It Hold?

So long Safe Harbor, hello 'Privacy Shield.'

Organizations that rely on trans-Atlantic data transfer are finally breathing a sigh of relief, now that the European Union and the United States have reached a new data transfer agreement, two days after the old agreement -- Safe Harbor, which was struck down in October -- expired. Yet some experts remain skeptical that even this new pact, which better protects European citizens' privacy, will survive the scrutiny of the European Court of Justice (ECJ).

Will the court ultimately destroy the new pact, dubbed "EU-US Privacy Shield," on the same basis that it struck down Safe Harbor? From DarkReading's recent story,  "No Safe Harbor is Coming: CISA Made Sure of It":

In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."

In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.

"What's important about this," [Danny O'Brien, international director of the Electronic Frontier Foundation] says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."

Yet the officials who wrote this proposal think it will succeed. In the press conference announcing the agreement today, Vera Jourová, European Union Commissioner for Justice, Consumers, and Gender Equality, said the new agreement "lives up to the requirements of the ECJ."

Jourova stated that the agreement has established "clear safeguards" on US access to EU citizens' data, and that the US Office of the Director of National Intelligence will provide written assurance on them. "This is a unique step on the part of the US," Jourova said, "in order to restore trust in our trans-Atlantic relations."

Privacy Shield would also differ from Safe Harbor in that it would be a "living mechanism" instead of a one-time deal. The Commission and the US Department of Commerce will regularly monitor the functioning of this agreement, the Commission will provide an annual report on its status, and there will be "strong obligations on companies handling the data," said Jourova, and regular reviews by the Department of Commerce to make sure that those companies are meeting their obligations. If they aren't, they will be sanctioned or be removed from the list of entities that can transfer data.

They also established rules to give Europeans "accessible and affordable" mechanisms to issue complaints about US use of their personal data. Jourova also referenced the Judicial Redress bill that made it through committee level of the Senate Jan. 28. If passed into law, it would give European citizens the right to sue the US if law enforcement agencies misused their data.

The complete details of the agreement have not yet been released. Both countries will be formalizing their documents on the matter over the following weeks.

The big question will be, does it indeed live up to the European Court of Justice's requirements, or not?

"I think it's really hard to say until we see the actual text," says EFF's O'Brien. "I think the reason why we haven't seen a concrete agreement until now is because as soon as anyone gets down to the details, it becomes clear that it won't stand up to [Court of Justice of the European Union] scrutiny."

Response to Privacy Shield thus far has been a mix of relief and skepticism.

“While the creation of a new Safe Harbor agreement for EU-US data transfer may not please both sides entirely, it does enable US businesses to continue operations with European customers without incurring stiff penalties but also makes some important concessions for European data privacy," says Yorgen Edholm, CEO of cloud collaboration services firm Accellion. "That said, European attitudes toward data privacy have not changed and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate."

The Information Technology and Innovation Foundation applauded the agreement while criticizing the manner in which the EU axed Safe Harbor in the first place.

"Going forward, the United States and EU should make a number of much-needed privacy reforms to continue rebuilding trust and cooperation and ensure the world’s most critical economic relationship continues to endure in the digital age," the ITIF stated in their release. "In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.

"Both countries should also come together to work more closely on important issues such as promoting strong encryption and improving cyber security," the ITIF further stated. "And ultimately, the European Commission should reformulate its data protection regulations to replace the 'adequacy' standard with a 'duty-of-care' provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located."

The Direct Marketing Association applauded the resolution, stating “DMA has been an ardent and early supporter of the EU-U.S. Safe Harbor framework, working with some of the original architects and industry officials in the U.S. and Europe to craft the DMA dispute resolution services. DMA will work with the U.S. Department of Commerce on the new provisions of the ‘EU-U.S. Privacy Shield’ and continue our nearly 15 years of successful dispute resolution services as we move forward under this new agreement. DMA urges its members to review the requirements of the new agreement as they are released in the upcoming weeks, and DMA will provide in-depth analysis and compliance guidance for our members and our participant companies in the near future.”

 

Interop 2016 Las VegasFind out more at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
CVE-2020-11105
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
CVE-2020-11106
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
CVE-2020-5284
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...