The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, says Christian Wigand, EC spokesperson for Justice.
The Digital Post: Despite the reassuring statements of the European Commission, the new “Safe Harbour” does not seem out of danger. Is the Privacy Shield enough strong to resist any future attempt to challenge its legal legitimacy?
Christian Wigand: As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations. We used the ECJ ruling as a “benchmark” in the final phase of the negotiations, let me explain how three key requirements have been addressed:
– The European Court of Justice required limitations for access to personal data for national security purposes and the availability of independent oversight and redress mechanisms.
The U.S. ruled out indiscriminate mass surveillance on the personal data transferred to the US under this arrangement and for the first time, has given written commitments in this respect to the EU. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be set up, independent from the intelligence services.
– The Court required a regular review of the adequacy decisions.
There will be an annual joint review to regularly review the functioning of the arrangement, which will also include the issue of national security access.
– The Court required that all individual complaints about the way U.S. companies process their personal data are investigated and resolved.
There will be a number of ways to address complaints, starting with dispute resolution by the company and free of charge alternative dispute resolution solutions. Citizens can also go to the Data protection authorities who will work together with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsman independent from the US intelligence services
TDP: Three months ago French Interior Minister Bernard Cazeneuve and his German counterpart, Thomas de Maizière, called on the EU to adopt a law that would require apps companies to make encrypted messages available to law enforcement. What is the official position of the Commission on this particular issue? Is the Commission working on a proposal?
CW: Encryption is widely recognised as an essential tool for security and trust in open networks. It can play a crucial role, together with other measures, to protect information, including personal data, hence reducing the impact of data breaches and security incidents. However, the use of encryption should not prevent competent authorities from safeguarding important public interests in accordance with the procedures, conditions and safeguards set forth by law.
The current Data Protection Directive (which also applies to the so-called over-the-top service providers such as WhatsApp or Skype) allows Member States to restrict the scope of certain data protection rights where necessary and proportionate to, for instance, safeguard national security, and the prevention, investigation, detection and prosecution of criminal offences.
The new General Data Protection Regulation (which will apply as from 25 May 2018) maintains these restrictions.
TDP: According to a survey published recently by Dell most firms are unprepared for the EU’s General Data Protection Regulations less than 18 months before it enters into force. Are you worried about that?
CW: To make the new data protection rules work in practice is a priority for us and we work closely with all stakeholders on that. The European Commission has set out a number of measures to make sure that companies operating in the European Union as well as national regulators will be ready for the new rules. There is work ongoing on all levels, with data protection authorities, industry representatives, data protection experts from Member States and of course national governments. For example, there are monthly meetings with Member States authorities on implementation. At the same time we are setting up a network between the Commission and national authorities to exchange information on the implementation of the Regulation and to share good practices.
Picture credits: U.S. Army
In the context of the 7th annual EuroCloud Forum, which takes place from 5-6 October in Bucharest, Romania, Elena Zvarici, executive board member of EuroCloud Europe, talks about how Europe can take advantage of cloud computing and the data economy.
In order for Europe to take full advantage of cloud computing and the data economy, we need to strike the right balance between regulation and innovation
In the digital world the balancing act between business and regulation is a delicate one. In the past year we have seen the adoption of the new European General Data Protection Regulation, the invalidation of the Safe Harbour agreement for transatlantic data transfers and problematic discussions around its replacement the Privacy Shield.
Setting these developments into the context of the many ongoing initiatives at EU level aimed at encouraging innovation and the data economy, it is clear that getting the balance right is no easy task.
Europe is leading the way in data privacy and advocates a high level of data protection worldwide. The newly adopted General Data Protection Regulation introduces a new concept of responsibility towards data ownership, as well as new legal obligations for businesses to comply. For cloud SMEs and start-ups, getting up to speed can be problematic and they will need help.
A coordinated approach is needed between data protection authorities, policy makers and industry, in order to help organizations in this transition, by providing adequate data breach reporting tools, compliance toolkits and publicising the key issues. Let’s make sure that European SMEs and start-ups, so often the drivers of growth in Europe, are well placed to comply.
While the GDPR provides a high level of data protection we must remember that we are ever more connected through digital means and cannot think solely in terms of Europe. We are global users and exporters of digital services and need to have a strong cloud computing and data economy to be competitive. International data flows will play a key part in this. To avoid regulation clashes and to create international data-driven markets, in the future we should strive towards the creation of uniform, accepted standards of personal data protection on a global basis.
The recent agreement on the Privacy Shield for EU-US data transfers did not come a moment too soon and will hopefully bring the much needed legal certainty for the approximately 4,000 businesses who made use of the safe harbour mechanism. This legal assurance is vital. Many of these companies will rely on global information exchanges. Let’s hope that the provisions in the Privacy Shield can provide a robust enough framework to encourage data flows while providing high standards of data protection.
Global data flows are vital to international trade and economic growth and the European Commission Initiative on the free flow of data, expected at the end of 2016, should aim to enable European companies, particularly in the growing cloud computing sector, to be in the forefront of the global innovation race.
The Initiative should aim to reinforce the European cloud sector, so that companies are encouraged to develop new innovative services in the cloud, sell their services cross-border and enter the global market as exporters of technology.
This can be done by providing clarity on issues such as data ownership, liability arising from data use and data localisation across Europe.
If we really want to position Europe as a global leader in the data economy we need to ensure that we get the balance right. This means ensuring high levels of privacy while fostering new business innovation in sectors that rely on data and developing trust and confidence among users, from the individual consumer to the public and private sector.
Now is the time to move forward and encourage Europe to reap the benefits of data and the cloud.
Picture credits: Roberto Sartori
If Standard Contractual Clauses (SCCs) suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible, further threatening to balkanize the Internet and to undermine international trade.
Eight months ago the Financial Times warned in an editorial that a ruling by the Court of Justice of the European Union (CJEU) to invalidate Safe Harbour, a commonly used legal mechanism for transferring data to the US, threatened to balkanize the Internet and undermine international trade.
That threat deepened sharply last week when Ireland’s top data protection authority, the Irish Data Protection Commission, announced it would refer another legal mechanism, Standard Contractual Clauses (SCCs) to the courts too.
After Safe Harbour was invalidated companies that need to transfer data as part of their day-to-day activities scrambled to find other legal methods to allow them to continue. One such method is the Standard Contractual Clause.
If SCCs suffer the same fate as Safe Harbour then transferring data to the US will in practice become almost impossible.
But it’s not just transatlantic data flows that are being called into question. Companies use SCCs to transfer data all over the world.
If Europe’s courts conclude that SCCs are no safer than Safe Harbour this could effectively cut Europe out of the emerging global data economy, and that would hurt companies from almost every corner of the economy – not just the tech sector.
Global data flows are vital to international trade. Forcing companies to store their data within Europe will have serious implications for Europe’s economic prospects.
As the European Data Protection Supervisor, Giovanni Buttarelli himself said last week, it is unreasonable to ask companies to reinvent their practises all the time.
I would urge Europe’s data protection authorities to stop shifting the legal goal posts for international data transfers and to wait until Safe Harbour’s intended replacement, the Privacy Shield, has been given a chance to work.
The Privacy Shield, with its Ombudsperson role, would address the key concerns about EU citizens’ potential exposure to unwarranted surveillance by US security agencies.
Privacy activists have dismissed the Privacy Shield before it’s even been given a chance to work. Jumping to a negative conclusion when so much is at stake seems rather reckless.
Right now we need more legal certainty, not less. Give Privacy Shield a chance. If necessary make fixes once it’s in place but don’t throw companies into a legal black hole by closing down all options for international data transfers.
Picture credits: Devin Poolman
Looking at Europe’s digital progress, 2015 started under great promise but didn’t end quite so well. So how can Europe do better? Here are 5 tests I’ll be applying in a year’s time.
Must do (quite a lot) better in 2016. Yes, it’s a cliché but that might well be the end-of-year report on Europe’s digital progress in 2015.
It started with great promise; President Juncker making snappy videos about his digital street cred, a Vice-President for the Digital Single Market and a Commissioner for Digital Economy and Society, and DSM strategy with welcome consultations.
But the year didn’t end quite so well, did it?
A compromise on data protection that didn’t deliver on its original promise of reduced costs for business, with a single consistent approach across Europe and a one-stop-shop; real uncertainty for many businesses thanks to the ruling on Safe Harbour, and endless examples of incumbent interests seeing off the disruptors who had the temerity to use digital to offer better, cheaper service to European city dwellers.
So how can Europe do better this year? Here are 5 tests I’ll be applying in a year’s time.
First, and it’s a big one, I’ll be asking whether we give as much weight to gaining the benefits of the new, and increasingly global, data economy and society – from health benefits to wealth benefits – as we do to the important task of keeping our data safe and secure. Have we grasped the opportunities of global data flows and resisted unproductive forced localization?
Second, make it more attractive, not less, to invest in Europe’s digital infrastructure. If the EU is to lead the way to 5G, crucial bands will have to be made available in a coordinated and timely way, putting an end to today’s national fragmentation.
My third test: make a real improvement in the quality and quantity of digital skills available both to tech suppliers and their customers in Europe’s industries and public services alike. At the end of the year I want to see that Europe’s citizens can easily and cheaply acquire the digital skills they need to be active in our digital Europe.
Next really do unlock the potential of e-commerce. Don’t just say you’ll do so while building new barriers and making consumer rules in the online world different from, and more complicated than the off-line world – recognise that for most Europeans this distinction is fast disappearing.
Fifth and finally, I want to see that many more of Europe’s business leaders and politicians have grasped and actively promoted the power of digital to modernise our industries and improve public services to drive the single market. Will we have shifted our thinking to exploit the power of modern platforms rather than worrying about them?
To borrow from Machiavelli, Europe has to tackle the powerful vested interests that profit from the status quo, while at the same time embracing the disruptors who dare to challenge them.
I look forward to seeing you again next year and I have every expectation of a better report.
photo credit: Tom Gill
Adam Smith said that the road to certainty passes through the valley of ambiguity – Germany’s stance on cross-border data flows is no exception.
Germany is increasingly accused of being engaged in a digital protectionism, and commandeering the rest of Europe into policies aimed at ‘information sovereignty’ and counter the threat of the data-driven ‘Industrie 4.0’.
While the politically important German telecom and publishing sector openly argue for a ‘data Schengen’ that would effectively push US competition out of Germany or Europe, the government has been more cautious, preferring to talk in ambiguous terms – not least because German exporters face such barriers overseas.
Adam Smith said that the road to certainty passes through the valley of ambiguity – Germany’s stance on cross-border data flows is no exception.
The federal government recently adopted a set of guidelines aiming to increase the ‘flexibility and security’ of its government-run IT systems.
Germany’s 200 or so different government agencies run 1,300 data services centres, causing functional overlap and economic inefficiencies.
The new proposal, drafted by Germany’s interior ministry, advocates the consolidation of government-run IT systems and IT services centres.
So far, this is in good order. Efficiency and order – sound like good governance that we come to expect.However, the proposal is accompanied by a far-reaching move towards data localisation: for external cloud and software services to be purchased by Germany’s public authorities the government’s new guidelines (Resolution 2015/5 of the federal governments IT Council) stipulate that sensitive information (including government secrets and infrastructure information) have to be stored on servers within Germany.
The last nail in the coffin
At first sight, such requirements may sound reasonable in the post-Snowden environment; NSA was after all listening into the Chancellor’s phone calls.
Also, a serious attack on the IT systems of the Bundestag caused parliamentarians to question government agencies’ cyber security competences.But such notions are built on a very common misconception that data security is a function of where the data is physically located.
In contrary, centralising data in one country increases both the potential risk, but also the scale of the damage that hackers can cause.
Rather than fighting fire with fire by prosecuting business, Germany should exercise its moral higher ground to force other governments into a system built on mutual legal assistance – where governments are held accountable for their laws, not firms who try to abide by them. But it seems as the imperative of looking tough took priority over being effective.
In the long term
Many private firms increasingly or exclusively rely on cloud-based storage and data processing. According to a recent Eurostat survey, 19 per cent of European firms used cloud computing in 2014, primarily for email hosting and storage services.
46 per cent of those companies used advanced cloud services including financial and accounting software applications, customer relationship management and other business applications.
In general, a government-imposed limitation of vendor choices artificially restricts competition, incurs higher cost and prevents innovative business models from gaining ground and scale.
Accordingly, data localisation destroys well-functioning digital business models, increases the risk of successful attacks due to data concentration, and undermines the international competitiveness of digital and traditional exporters – all of which is at the detriment of the German economy.
photo credit: Erwin Brevis
The new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators are struggling to balance citizen rights with the desire to boost the competitiveness of the tech industry.
If someone were asked to guess which issue has generated the fiercest debate in Brussels in the recent months, the European Court of Justice (ECJ) Safe Harbour ruling should be the answer. Brussels has not stopped talking about it since the 6th October. Safe Harbour, which echoes a secure environment, no longer fits with the legal uncertainty and insecurity that the ruling has generated.
The ECJ ruled that the transatlantic Safe Harbour agreement, which allows American companies to use a single standard for consumer privacy and data transfer of private information between the EU and the US, is invalid.
With its ruling the ECJ has considerably challenged, if not disrupted this framework put in place to ease Trans-Atlantic information sharing, deeming it inadequate, especially in light of the surveillance allegations and scandals by USA intelligence services (including the NSA).
The upshot of the ruling is that there are now only limited pan-EU rules on data flow from Europe to the USA.
The ECJ has caused quite a stir in the tech world with its recent judgment. Tech companies, big and small, are scrambling to see what data they process and where it is transferred. Most multinationals are now legally obliged to suspend any transfer of its customers’ data to the USA and move their data storage and operations to an EU subsidiary.
Has anyone also quantified the economic implications of a real stop of data transfer between the EU and the USA? A power-generated black out is the best example I can think of.
The European Commission has therefore been put in a tough position. While it has to support the ruling by the European Court of Justice and guarantee citizens’ privacy, it had evoked the ire of the ICT industry. Trade and business associations are lobbying for a pragmatic solution namely via a transition period that would legalise the current Trans-Atlantic data flows.
The Commission has also promised guidelines for companies and data processors by early November and is working together with the national authorities to prevent fragmentation. But industry fears that this will not prevent headaches, stress and costs. A German data protection authority, for instance, has already warned it would fine non-compliant companies severely.
Meanwhile, Europe and the USA have also been negotiating a renewed Safe Harbour agreement. The ruling comes in the midst of these talks and will be an extra source of pressure. However, little can be done to accommodate the ruling unless America agrees to suspend its surveillance mechanisms on EU citizen data, which would be a very big ask.
In summary, the new Safe Harbour ruling has shown the difficulties in adapting existing legal rules to the globalised, digital era. Online privacy legislation is clashing with modern business models, while European regulators try to balance citizen rights with the desire to boost its tech industry and remain competitive. It’s a fierce storm with no lighthouse in sight.
The Safe Harbour agreement is not the appropriate instrument to solve transatlantic tensions over government mass surveillance in the US. The issue should be addressed separately from the US-EU commercial agreement regulating data transfer, whose suspension would leave companies in the middle of a jurisdictional conflict they cannot themselves resolve.
The EU-US Safe Harbour agreement has been the subject of a great deal of interest in recent weeks. At the end of March the head of the Article 29 Working Party, which represents Europe’s data protection authorities, raised the subject in the context of mass surveillance of private data by US security agencies in front of the European Parliament’s Civil Liberties (LIBE) Committee.
At the same time Justice Commissioner Vera Jourova announced that she intends to conclude a revision of safe harbor with her US counterparts at the end of May. The debate is set to intensify this month as negotiators count down to the self-imposed deadline for revising the 14-year old bilateral agreement.
Amid all this attention it is worth pointing out a few things about Safe Harbour that have been overlooked in much of the media coverage of the subject, and to explain why it is so important to revise rather than suspend the mechanism.
The EU-US Safe Harbour agreement facilitates transatlantic transfers of commercial data by European and US companies of all sizes. It is a vital tool for a wide range of industries engaged in the trade in goods and services between the EU and the US.
The agreement needs to be refreshed and we support the efforts of the European Commission to improve it. We are confident that the reform of Safe Harbour can be achieved through political discussions between the two trading partners.
While respecting citizens’ right to privacy, we believe an improved Safe Harbour agreement must continue to facilitate data transfers conducted by law-abiding companies.
Any suspension of Safe Harbour would affect American and European companies alike, and it would be especially burdensome for small and medium size enterprises that use the mechanism for data transfers to the US.
A suspension would clog up perfectly legitimate, non-controversial, safe flows of non-personal as well as personal data, and it would therefore have significant economic consequences for the US and the EU.
Similarly, if national data protection authorities were empowered to override EU level agreements such as Safe Harbour, as suggested by some national data protection authorities last month during a hearing at the Court of Justice of the EU (CJEU), this would lead to the splintering of EU rules on international data transfers.
This in turn would undermine efforts to create a digital single market, and instead create even more fragmentation and legal uncertainty within the EU than there is today. At the heart of the case being heard in court last month is the issue of protection of a citizen’s private data from US security agency surveillance.
The tech industry in the US has joined forces with privacy groups in opposing efforts to extend bulk surveillance by US security agencies. In Europe we have been criticised by European security agencies for placing too high a priority on citizens’ privacy.
DIGITALEUROPE shares the concerns of the public and opposes the bulk collection of citizen’s data by state security agencies. However, the Safe Harbour agreement is not the appropriate instrument to solve this problem. Isabelle Falque-Pierrotin, Chair of the Article 29 Working Party said as much at a meeting with the European Parliament‘s LIBE Committee at the end of March.
Attempting to solve the problem through the revision of Safe Harbour would only deflect attention from the real discussions that need to occur.
It requires direct government-to-government negotiations on the norms in cyber surveillance and access by authorities. It cannot be resolved in a commercial agreement, which would leave companies in the middle of a jurisdictional conflict they cannot themselves resolve.
We urge the European Commission, which leads the European negotiating team, to treat this task separately from the revision of rules to allow for the transfer of commercial data from Europe to the US. For more information please read our position paper on the Safe Harbour revision.