The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, says Christian Wigand, EC spokesperson for Justice.
The Digital Post: Despite the reassuring statements of the European Commission, the new “Safe Harbour” does not seem out of danger. Is the Privacy Shield enough strong to resist any future attempt to challenge its legal legitimacy?
Christian Wigand: As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations. We used the ECJ ruling as a “benchmark” in the final phase of the negotiations, let me explain how three key requirements have been addressed:
– The European Court of Justice required limitations for access to personal data for national security purposes and the availability of independent oversight and redress mechanisms.
The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the US under this arrangement and for the first time, has given written commitments in this respect to the EU. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be set up, independent from the intelligence services.
– The Court required a regular review of the adequacy decisions.
There will be an annual joint review to regularly review the functioning of the arrangement, which will also include the issue of national security access.
– The Court required that all individual complaints about the way U.S. companies process their personal data are investigated and resolved.
There will be a number of ways to address complaints, starting with dispute resolution by the company and free of charge alternative dispute resolution solutions. Citizens can also go to the Data protection authorities who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsman independent from the US intelligence services
TDP: Three months ago French Interior Minister Bernard Cazeneuve and his German counterpart, Thomas de Maizière, called on the EU to adopt a law that would require apps companies to make encrypted messages available to law enforcement. What is the official position of the Commission on this particular issue? Is the Commission working on a proposal?
CW: Encryption is widely recognised as an essential tool for security and trust in open networks. It can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.
The current Data Protection Directive (which also applies to the so-called over-the-top service providers such as WhatsApp or Skype) allows Member States to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences.
The new General Data Protection Regulation (which will apply as from 25 May 2018) maintains these restrictions.
TDP: According to a survey published recently by Dell most firms are unprepared for the EU’s General Data Protection Regulations less than 18 months before it enters into force. Are you worried about that?
CW: To make the new data protection rules work in practice is a priority for us and we work closely with all stakeholders on that. The European Commission has set out a number of measures to make sure that companies operating in the European Union as well as national regulators will be ready for the new rules. There is work ongoing on all levels, with data protection authorities, industry representatives, data protection experts from Member States and of course national governments. For example, there are monthly meetings with Member States authorities on implementation. At the same time we are setting up a network between the Commission and national authorities to exchange information on the implementation of the Regulation and to share good practices.
Picture credits: U.S. Army
As widely reported by the press, the Internet of Things took center stage at this year’s CES event in Las Vegas. But it wasn’t just a matter of health trackers, connected cars or “smart” home appliances being showcased to the usual crowd of tech enthusiast. There was also a lot of talk about the implications of a coming world in which most everyday objects will be connected.
In fact, for all its touted benefits, the rise of IoT is expected to raise a number of legal questions and regulatory issues. This was the core message of a speech delivered by US Federal Trade Commission chairwoman Edith Ramirez during the event itself.
While recognizing that the boom in connected devices has the potential to foster global economic growth and improve people’s lives, Ramirez voiced particular concern about security and privacy risks posed by the Internet of Things. Her words highlight FTC efforts in developing a fresh and more tailored response to the challenge.
So, how the European Union is faring in this respect? Well, let’s say that it’s time to do more.
The European Commission held a public consultation on IoT between April and July 2012 in view of presenting an ambitious “recommendation” (i.e. a non.binding by Spring 2013. At the same time, the conclusions of an EU Expert Group signalled that policy initiatives were required in as many areas as privacy, safety and security, ethics, interoperability, governance and standard.
Yet the recommendation has never come into being, and ever since IoT has all but disappeared from the EU institutions’ radar. To a certain extent some IoT issues have been addressed through a proposed “data protection” regulation and a cyber security directive.
However, a far more comprehensive approach is clearly needed and the new European Commission should start working on it as soon as possible. Even if it may be still considered in its infancy, IoT is growing at a rapid pace. According to Cisco, some 25 billion devices will be connected by 2015, and 50 billion by 2020. A stronger regulatory framework at EU level will not only ensure that consumers’ rights be kept safe, but will also enable the industry to evolve in a stable manner as legal uncertainty is bad for innovation too.