The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, says Christian Wigand, EC spokesperson for Justice.
The Digital Post: Despite the reassuring statements of the European Commission, the new “Safe Harbour” does not seem out of danger. Is the Privacy Shield enough strong to resist any future attempt to challenge its legal legitimacy?
Christian Wigand: As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations. We used the ECJ ruling as a “benchmark” in the final phase of the negotiations, let me explain how three key requirements have been addressed:
– The European Court of Justice required limitations for access to personal data for national security purposes and the availability of independent oversight and redress mechanisms.
The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the US under this arrangement and for the first time, has given written commitments in this respect to the EU. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be set up, independent from the intelligence services.
– The Court required a regular review of the adequacy decisions.
There will be an annual joint review to regularly review the functioning of the arrangement, which will also include the issue of national security access.
– The Court required that all individual complaints about the way U.S. companies process their personal data are investigated and resolved.
There will be a number of ways to address complaints, starting with dispute resolution by the company and free of charge alternative dispute resolution solutions. Citizens can also go to the Data protection authorities who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsman independent from the US intelligence services
TDP: Three months ago French Interior Minister Bernard Cazeneuve and his German counterpart, Thomas de Maizière, called on the EU to adopt a law that would require apps companies to make encrypted messages available to law enforcement. What is the official position of the Commission on this particular issue? Is the Commission working on a proposal?
CW: Encryption is widely recognised as an essential tool for security and trust in open networks. It can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.
The current Data Protection Directive (which also applies to the so-called over-the-top service providers such as WhatsApp or Skype) allows Member States to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences.
The new General Data Protection Regulation (which will apply as from 25 May 2018) maintains these restrictions.
TDP: According to a survey published recently by Dell most firms are unprepared for the EU’s General Data Protection Regulations less than 18 months before it enters into force. Are you worried about that?
CW: To make the new data protection rules work in practice is a priority for us and we work closely with all stakeholders on that. The European Commission has set out a number of measures to make sure that companies operating in the European Union as well as national regulators will be ready for the new rules. There is work ongoing on all levels, with data protection authorities, industry representatives, data protection experts from Member States and of course national governments. For example, there are monthly meetings with Member States authorities on implementation. At the same time we are setting up a network between the Commission and national authorities to exchange information on the implementation of the Regulation and to share good practices.
Picture credits: U.S. Army
Ever since the terrorist Paris attacks in November the debate over government ‘backdoors’ into encryption has been back in the spotlight. For obvious reasons the US is at the forefront of the dispute as it is home to an overwhelming share of the world’s leading businesses in the digital sector.
US authorities are increasingly seeking the cooperation of these companies with regard to special access on encrypted systems as part of the on-going government campaign against terrorism.
However, Silicon valley companies and civil society groups reject such calls on the grounds that this will undermine the digital security, posing a threat to crucial rights such as privacy or freedom of expression (Apple CEO Tim Cook has emerged as the most vocal industry leader in criticizing federal plans to weaken encryption).
The truth is both camps may have a point. That is why it is difficult to pick a side in such a complex and mostly technical discussion, as it is very hard to tell how to strike a right balance between security and privacy matters.
In this respect, it is interesting to note the opinion expressed by AT&T CEO Randall Stephenson on the sidelines of the World Economic Forum that is currently taking place in Davos.
According to Mr. Stephenson, it’s the congress, not the companies, that should determine U.S. policy on access to encrypted data on cellphones and other devices. “I personally think that this is an issue that should be decided by the American people and Congress, not by companies,” Mr. Stephenson said on Wednesday, in an interview with The Wall Street Journal.
For the record, Mr. Stephenson added that his own company has been unfairly singled out in the debate over access to data. “It is silliness to say there’s some kind of conspiracy between the U.S. government and AT&T,” he said, clarifying that the company turns over information only when accompanied by a warrant or court order.
It is hard to dissent with the fact that the decision on access to encrypted data should lie with democratically elected instances.
Encryption is bound to become a key issue on the 2016 presidential race – as the latest Democratic Party presidential debate has clearly shown –, although barely 10% of US adults say they have encrypted their communications, according to a recent Pew Research poll. Therefore, the American electorate will soon have a say on the matter.
This could sound as a simplistic way to address the issue (digital activites are pointing out that US politicians have little knowledge of the issue).
But if the topic of encryption is properly addressed in the context of an open and democratic discussion, and any action is ultimately taken with the backing of elected representatives, there is little reason to complain.
Even so (and if basic rights are being put at risk, as some may suggest) modern democracies, such as the US, offer the legal means to challenge – and sometimes reverse – a decision through federal courts.