Europe's New Privacy Shield: Will It Hold?US Mass Surveillance Practices Could Still Derail Data Transfer Deal
Businesses on both sides of the Atlantic have been breathing a sigh of relief over the July 12 launch of the EU-U.S. data transfer agreement known as the Privacy Shield.
See Also: Building the Modern SOC
Complying with Privacy Shield gives businesses a legal way to gather Europeans' personally identifiable information and transfer it to servers in the United States without running afoul of EU data protection and privacy rules. The voluntary, self-certification agreement, issued by the European Commission, replaces a previous, similar arrangement called Safe Harbor, which the European Court of Justice struck down in October. The court's ruling was based, in part, on U.S. mass surveillance practices, which EU judges said resulted in the U.S. being unable to prove that its "law and practices ... ensure an adequate level of protection" for Europeans' right to privacy.
But it's unclear if Privacy Shield will pass muster with the European Court of Justice. Privacy rights groups have already promised to fight the new agreement on the grounds that it doesn't do enough to protect Europeans' personal data from U.S. intelligence agencies.
Europe's expansive data protection rules stipulate that any piece of information that could be used to identify, locate or contact an individual counts as private data. That includes not just names and email addresses, but also Internet Protocol addresses and browser cookies. All EU organizations must gain an individual's express consent before collecting such information, delete it upon request and store it for as little time as possible, all of which is also required under Privacy Shield.
Technology Giants Laud Deal
Many U.S. businesses have been eagerly awaiting Privacy Shield because it gives them a relatively straightforward way to transfer Europeans' personal data without having to find other legal ways of attempting to prove that they're complying with EU data protection rules. Germany recently fined several companies - including Adobe and Unilever - that were continuing to rely on Safe Harbor after the EU high court had ruled that it was no longer valid.
During the negotiations to develop Privacy Shield, many technology firms - including Apple, Cisco, Dropbox, Google, Microsoft, Samsung and Sony - were represented by DigitalEurope, which has applauded the new deal and said members are preparing to comply with it. Microsoft's John Frank, vice president for EU government affairs, says in a blog post that the new arrangement offers strong privacy protections. "Privacy Shield secures Europeans' right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body [via a U.S. ombudsman], and it clarifies data collection practices by U.S. security agencies."
Michelle Dennedy, Cisco's chief privacy officer, says complying with Privacy Shield will prove good for business. "As much as this may feel like a big compliance headache, one thing is certain," she says in a blog post. "Both sides of the Atlantic take the need to address EU privacy concerns very seriously. Ultimately, it will drive trust in business and confidence with customers, regulators and citizens alike, and that is always a good thing."
Tougher Privacy Rules
Julie Brill, who served as commissioner of the U.S. Federal Trade Commission until March and now co-heads law firm Hogan-Lovells' privacy and cybersecurity practice, also backs Privacy Shield, noting that it holds U.S. businesses to a much higher privacy standard for protecting Europeans' information than before.
"Companies that volunteer to join Privacy Shield will have to comply with significantly enhanced requirements, such as obtaining consent from Europeans before they share data with third parties, including affirmative express consent to share sensitive data such as health information," Brill says. "Signatories must also allow Europeans to access, correct or delete applicable data. Crucially, companies will have to require their business partners, who receive information about Europeans, to also live up to these principles."
Is Privacy Shield Strong Enough?
But the Privacy Shield negotiation process hasn't been a smooth one. Many EU regulators and members of the European Parliament have been highly critical of any deal that would not guarantee the same level of data privacy and redress rights to Europeans that they enjoy under EU law. So far, it's not yet clear if the new arrangement does so, or comes close enough to alleviate critics' concerns.
The Article 29 Working Party, which represents the EU's data protection agencies, has yet to comment on the final agreement. But the group criticized a draft version of Privacy Shield, noting that while it offered "significant improvements" over Safe Harbor, it failed to resolve multiple data protection concerns.
Tomaso Falchetta, legal officer for civil rights group Privacy International, says in a blog post that "the 'new' Privacy Shield looks very much like the old one," meaning Safe Harbor. He notes that Privacy Shield comprises "a collection of commitments and explanatory notes by various parts of the U.S. government making it very difficult for anyone to assess what guarantees are provided to the protection of personal data and how they would apply in practice," adding that these commitments lack any related, legal guarantees. As a result, he says the measure relays intentions while offering little apparent accountability.
Prepare For Court Battle
Privacy Shield likely will face court challenges from privacy rights groups. The case that resulted in Europe's high court invalidating Safe Harbor began when Austrian privacy campaigner Max Schrems filed suit against Facebook. His suit hinged on documents leaked by former U.S. National Security Agency contractor Edward Snowden suggesting that Europeans' private information was being shared with U.S. intelligence agencies.
Schrems and Jan-Philipp Albrecht, a Green/EFA Member of the European Parliament who worked as lead negotiator the EU's new landmark General Data Protection Regulation, have criticized Privacy Shield's privacy protections as being insufficient. In a July 12 Irish Times editorial - Facebook's European operations are based in Dublin - the pair predict that this agreement will also be invalidated by the European Court of Justice.
In particular, Schrems and Albrecht note that for Europeans who believe their personal data has been mishandled, "the rules for legal redress are rather complex." In addition, the U.S. ombudsman will be a government official with questionable legal powers, rather than a court or independent body.
That's relevant, because the EU high court's decision to invalidate Safe Harbor centered in large part on U.S. mass surveillance practices, including post-Snowden revelations that U.S. intelligence agencies were intercepting Europeans' personal data that was being collected by U.S. technology companies. But it's not clear if the intelligence agencies have altered their behavior in any way, or if the U.S. ombudsman would have any oversight or control over such practices.
Next Stop: Annual Review
Viviane Reding, a member of the European Parliament who served as the EU's justice commissioner when the Snowden revelations came to light, notes that "doubts persist concerning the access of American public authorities to transferred data." But she argues that U.S. organizations - and the U.S. government - need to be given a chance to make Privacy Shield work. "If our American partners don't keep their promises, the [European] Commission should quickly draw the appropriate conclusions," she says.
Reding hopes the agreement will also become an instrument for helping to curtail the mass surveillance practices revealed by Snowden's leaks. "Let's turn this Privacy Shield into a living agreement that can be reinforced where and when necessary to finally end mass surveillance," she says.
While the Privacy Shield is designed to help assure Europeans that their personal data will be shielded from organizations and intelligence agencies that shouldn't have access to it, it's not yet clear whether it will achieve that goal.
"This issue is far from dead, and this agreement will be challenged in the European Court of Justice, where its adequacy will be determined," information security consultant Brian Honan said in a recent SANS Institute newsletter.