The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, says Christian Wigand, EC spokesperson for Justice.
The Digital Post: Despite the reassuring statements of the European Commission, the new “Safe Harbour” does not seem out of danger. Is the Privacy Shield enough strong to resist any future attempt to challenge its legal legitimacy?
Christian Wigand: As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations. We used the ECJ ruling as a “benchmark” in the final phase of the negotiations, let me explain how three key requirements have been addressed:
– The European Court of Justice required limitations for access to personal data for national security purposes and the availability of independent oversight and redress mechanisms.
The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the US under this arrangement and for the first time, has given written commitments in this respect to the EU. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be set up, independent from the intelligence services.
– The Court required a regular review of the adequacy decisions.
There will be an annual joint review to regularly review the functioning of the arrangement, which will also include the issue of national security access.
– The Court required that all individual complaints about the way U.S. companies process their personal data are investigated and resolved.
There will be a number of ways to address complaints, starting with dispute resolution by the company and free of charge alternative dispute resolution solutions. Citizens can also go to the Data protection authorities who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsman independent from the US intelligence services
TDP: Three months ago French Interior Minister Bernard Cazeneuve and his German counterpart, Thomas de Maizière, called on the EU to adopt a law that would require apps companies to make encrypted messages available to law enforcement. What is the official position of the Commission on this particular issue? Is the Commission working on a proposal?
CW: Encryption is widely recognised as an essential tool for security and trust in open networks. It can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.
The current Data Protection Directive (which also applies to the so-called over-the-top service providers such as WhatsApp or Skype) allows Member States to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences.
The new General Data Protection Regulation (which will apply as from 25 May 2018) maintains these restrictions.
TDP: According to a survey published recently by Dell most firms are unprepared for the EU’s General Data Protection Regulations less than 18 months before it enters into force. Are you worried about that?
CW: To make the new data protection rules work in practice is a priority for us and we work closely with all stakeholders on that. The European Commission has set out a number of measures to make sure that companies operating in the European Union as well as national regulators will be ready for the new rules. There is work ongoing on all levels, with data protection authorities, industry representatives, data protection experts from Member States and of course national governments. For example, there are monthly meetings with Member States authorities on implementation. At the same time we are setting up a network between the Commission and national authorities to exchange information on the implementation of the Regulation and to share good practices.
Picture credits: U.S. Army
In the context of the 7th annual EuroCloud Forum, which takes place from 5-6 October in Bucharest, Romania, Elena Zvarici, executive board member of EuroCloud Europe, talks about how Europe can take advantage of cloud computing and the data economy.
In order for Europe to take full advantage of cloud computing and the data economy, we need to strike the right balance between regulation and innovation
In the digital world the balancing act between business and regulation is a delicate one. In the past year we have seen the adoption of the new European General Data Protection Regulation, the invalidation of the Safe Harbour agreement for transatlantic data transfers and problematic discussions around its replacement the Privacy Shield.
Setting these developments into the context of the many ongoing initiatives at EU level aimed at encouraging innovation and the data economy, it is clear that getting the balance right is no easy task.
Europe is leading the way in data privacy and advocates a high level of data protection worldwide. The newly adopted General Data Protection Regulation introduces a new concept of responsibility towards data ownership, as well as new legal obligations for businesses to comply. For cloud SMEs and start-ups, getting up to speed can be problematic and they will need help.
A coordinated approach is needed between data protection authorities, policy makers and industry, in order to help organizations in this transition, by providing adequate data breach reporting tools, compliance toolkits and publicising the key issues. Let’s make sure that European SMEs and start-ups, so often the drivers of growth in Europe, are well placed to comply.
While the GDPR provides a high level of data protection we must remember that we are ever more connected through digital means and cannot think solely in terms of Europe. We are global users and exporters of digital services and need to have a strong cloud computing and data economy to be competitive. International data flows will play a key part in this. To avoid regulation clashes and to create international data-driven markets, in the future we should strive towards the creation of uniform, accepted standards of personal data protection on a global basis.
The recent agreement on the Privacy Shield for EU-US data transfers did not come a moment too soon and will hopefully bring the much needed legal certainty for the approximately 4,000 businesses who made use of the safe harbour mechanism. This legal assurance is vital. Many of these companies will rely on global information exchanges. Let’s hope that the provisions in the Privacy Shield can provide a robust enough framework to encourage data flows while providing high standards of data protection.
Global data flows are vital to international trade and economic growth and the European Commission Initiative on the free flow of data, expected at the end of 2016, should aim to enable European companies, particularly in the growing cloud computing sector, to be in the forefront of the global innovation race.
The Initiative should aim to reinforce the European cloud sector, so that companies are encouraged to develop new innovative services in the cloud, sell their services cross-border and enter the global market as exporters of technology.
This can be done by providing clarity on issues such as data ownership, liability arising from data use and data localisation across Europe.
If we really want to position Europe as a global leader in the data economy we need to ensure that we get the balance right. This means ensuring high levels of privacy while fostering new business innovation in sectors that rely on data and developing trust and confidence among users, from the individual consumer to the public and private sector.
Now is the time to move forward and encourage Europe to reap the benefits of data and the cloud.
Picture credits: Roberto Sartori
If Standard Contractual Clauses (SCCs) suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible, further threatening to balkanize the Internet and to undermine international trade.
Eight months ago the Financial Times warned in an editorial that a ruling by the Court of Justice of the European Union (CJEU) to invalidate Safe Harbour, a commonly used legal mechanism for transferring data to the US, threatened to balkanize the Internet and undermine international trade.
That threat deepened sharply last week when Ireland’s top data protection authority, the Irish Data Protection Commission, announced it would refer another legal mechanism, Standard Contractual Clauses (SCCs) to the courts too.
After Safe Harbour was invalidated companies that need to transfer data as part of their day-to-day activities scrambled to find other legal methods to allow them to continue. One such method is the Standard Contractual Clause.
If SCCs suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible.
But it’s not just transatlantic data flows that are being called into question. Companies use SCCs to transfer data all over the world.
If Europe’s courts conclude that SCCs are no safer than Safe Harbour this could effectively cut Europe out of the emerging global data economy, and that would hurt companies from almost every corner of the economy – not just the tech sector.
Global data flows are vital to international trade. Forcing companies to store their data within Europe will have serious implications for Europe’s economic prospects.
As the European Data Protection Supervisor, Giovanni Buttarelli himself said last week, it is unreasonable to ask companies to reinvent their practises all the time.
I would urge Europe’s data protection authorities to stop shifting the legal goal posts for international data transfers and to wait until Safe Harbour’s intended replacement, the Privacy Shield, has been given a chance to work.
The Privacy Shield, with its Ombudsperson role, would address the key concerns about EU citizens’ potential exposure to unwarranted surveillance by US security agencies.
Privacy activists have dismissed the Privacy Shield before it’s even been given a chance to work. Jumping to a negative conclusion when so much is at stake seems rather reckless.
Right now we need more legal certainty, not less. Give Privacy Shield a chance. If necessary make fixes once it’s in place but don’t throw companies into a legal black hole by closing down all options for international data transfers.
Picture credits: Devin Poolman
The Digital Post speaks with FTC Commissioner Julie Brill about the new ‘Safe Harbour’, the implications of the EU privacy reform, and privacy issues arising from the boom of the Internet of Thing.
The Digital Post: The European Union and the United States of America have reached an agreement on a new Safe Harbour data treaty. What are in your view the main achievements of the deal? What would have been the concrete risks if an agreement weren’t signed?
Julie Brill: The main achievement of Privacy Shield is that it provides strong privacy protections for European consumers and creates a framework for more parties to engage in active supervision and stronger enforcement cooperation. With respect to commercial data practices, Privacy Shield will provide stronger privacy protections than Safe Harbor did – through beefed up onward transfer requirements, and in other ways.
Privacy Shield will also establish more active supervision of the program in practice, so that the Department of Commerce, the European Commission, European data protection authorities (DPAs), and the FTC can detect and address any issues that come up. Privacy Shield will also provide a well-defined process for consumers to complain about the data practices of Privacy Shield companies.
The FTC will remain committed to giving priority to complaint referrals from DPAs, and there will be a better process in place for following up on these complaints. And even in the absence of referrals from DPAs, the FTC will continue to aggressively look for violations of the Privacy Shield principles.
Finally, in the area of national security, the United States agreed to take the unprecedented step of designating an ombudsperson to take complaints about surveillance activities that relate to Privacy Shield. This is in addition to the significant reforms that Congress and President Obama have made to surveillance practices in the past few years.
The risks if Privacy Shield hadn’t been agreed upon would have been that consumers and businesses would have continued in the limbo in which we currently exist, where some mechanisms to transfer personal data from the EU to the U.S. are still allowed, but they are expensive, opaque, and much more difficult for the FTC to enforce.
Of course, Privacy Shield still has many steps to take before it receives approval. If it were not approved, then companies – particularly small and medium enterprises – would lose out because of the time and resources that they have to put into alternative arrangements for data transfers.
But consumers also would lose out because they would have far less transparency into which companies are handling their data, the rules governing data transfers, and where to go to complain if they believe their rights are not being respected.
TDP: According to some observers, the new agreement won’t be sufficient to meet the concerns of the European Court of Justice. What is your opinion?
JB: It’s important to remember that the CJEU’s Schrems decision did not address national security surveillance practices in the United States. Rather, the case was based on the court’s concern that the European Commission’s adequacy decision in the year 2000 did not address U.S. privacy protections relating to national security surveillance.
It is hard to say how the CJEU would have assessed a full, accurate record concerning surveillance practices and privacy protections in the United States, had those facts been before the court. In any event, the U.S. has enacted significant reforms since the Schrems case was referred to the CJEU, and the U.S. is making further commitments through Privacy Shield.
On the whole, I believe these protections meet the CJEU’s standard of “essential equivalence to the EU legal order”, but we will have to wait to see if Privacy Shield is challenged to know whether the CJEU agrees.
TDP: Is the GDPR going to widen the chasm between EU and US regulatory approaches to data protection? How the FTC is working on this issue?
JB: The GDPR incorporates several provisions that either appeared first in the United States or are by now very familiar to companies and enforcers in the U.S. Examples include a focus on reasonable data security through a continuing process of risk assessment and mitigation, a general security breach notification requirement, heightened protections for children, privacy by design, and a recognition that deidentification can reduce privacy and security risks.
There are some differences between the European and U.S. versions of these provisions, but overall they show how developments in the U.S. can influence the direction that Europe takes.
On the other hand, some provisions of the GDPR move further away from the U.S. approach. A prime example is the GDPR’s right to be forgotten article, which extends to all data controllers. This expansion is a sharp contrast to the very targeted and specific provisions of U.S. law that help individuals keep some information about themselves obscure.
Companies and regulators on both sides of the Atlantic need to start working out answers to the many questions that the GDPR raises. That’s one reason that I think it’s so important for us to move beyond the issues surrounding mechanisms for data transfers that have dominated the discussion for the past several months.
With the announcement of an agreement on Privacy Shield in the past several weeks, I hope we now can begin to discuss the GDPR and issues like big data and the Internet of Things in a more sustained and meaningful way.
TDP: The FTC has been focusing on privacy issues related to the booming sectors of Internet of Things and Big Data. What are the risks? How regulators should deal with this very sensitive issue?
JB: There are important roles for enforcement, policy development, and business and consumer guidance in the Internet of Things and Big Data ecosystems. On the policy and guidance front, the FTC has been taking a close look at the potential benefits and risks of the Internet of Things and big data.
We have hosted public workshops, taken public comments, and written key reports on the broad range of technical and economic concerns that arise from having many more connected devices, huge volumes of personal data, and rapidly improving analytics.
We heard a lot about the exciting possibilities to solve problems in health care, transportation, the environment, education, and other areas; but we also learned about significant risks. Security is a huge challenge with the Internet of Things.
Not only are many devices being offered by companies that do not have long track records with data security, but these devices are also being used in ways that collect highly sensitive information and create physical risks to consumers.
With respect to big data, we found that there is a potential for unfairness or discrimination to enter through biases in data collection and analysis. Some of these issues could get companies into trouble under fair lending, credit reporting, or other laws. Other issues arise in settings that these laws do not cover, but companies still need to be aware of them because they may be deceptive or unfair.
Enforcement also plays an important role in the FTC’s approach. We have already brought enforcement actions relating to privacy and security violations with IoT devices. We have the authority to stop unfair or deceptive practices – whether or not they involve new technologies and business practices – and we will use it in appropriate cases.