Privacy Shield: Data Protection Commissioners break out a six-pack

Get comfortable, you're not going to be using it to transfer data any time soon

Hawktalk In this blog, I make a few comments about “Safe Harbor 2” (or the “Privacy Shield” to use the flash marketing term for the recently announced agreement). In summary, there is no published evidence that the Privacy Shield actually provides an adequate level of protection: so contrary to all those optimistic news reports, can you please “hold your horses” if you are anticipating transfers to the USA under Privacy Shield.

Also, be aware also that some serious contingency planning might be needed if Europe’s Data Protection Commissioners judge that the Privacy Shield does not provide an adequate level of protection.

The importance of Schrems

The first thing to understand is that the European Commission, which is trying to finalise a replacement deal for Safe Harbor, is not in the driving seat; neither are the USA negotiators.

This is because the most important part of the Court of Justice of the European Union (CJEU) in Schrems was not that Safe Harbor agreement was made void; it was that Data Protection Authorities can assess whether any “transfer” to a territory outside the European Economic Area (EEA) provides an adequate level of protection.

In its judgment, the CJEU said that the Data Protection Authority’s ability to independently assess adequacy applied universally. It said the existence of an international agreement such as Safe Harbor that claimed adequacy:

 “….does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.

Note the implication of this. If a Data Protection Authority found that the level of protection was inadequate, then it could act to protect the interests of data subjects (e.g. by banning transfers to that territory) despite any political agreement asserting adequacy.

As will be seen, this independence generalises to any transfer to any non-EEA country for any purpose and any agreement (e.g. transfers subject to BCRs or European Commission Standard Contract Terms).

This issue appears to have escaped notice by the USA negotiators who almost appear to consider Privacy Shield to be a done deal. Secretary of Commerce, Penny Pritzker, for instance delivered the following statement on the completion of the EU- U.S. Privacy Shield:

This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.

Beyond being essential to transatlantic commerce, the EU-U.S Privacy Shield also underscores the strength of the U.S.-EU relationship. It demonstrates our commitment to working together as leaders in the global economy, promoting our shared values, and bridging our differences where they exist”.

“Shields down!”: back to Earth with a bump

Anyway, back to reality and the Article 29 Working Party of Data Protection Authorities (WP29) – a powerful advisory board with representatives from the European Commission and data-protection authorities.

In the party's press statement on Privacy Shield, it is clear that the WP29 has not accepted any fait accompli.

Its press release says that WP29 need “four essential guarantees” before the USA is deemed as offering an adequate level of protection.  These guarantees, which relate to access by the national security agencies in the USA, to personal data transferred to the USA, are:

“A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;

C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks; (CP comment: can we have an effective independent oversight mechanism in the UK as well please?).

D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body. The WP29 stresses that these four guarantees should be respected whenever personal data are transferred from the EU to the United States and to other third countries, as well as by EU Member States.” (My emphasis to show WP29 considers Schrems is NOT limited to transfers to the USA).

The WP29 press statement then states it needs to see the detail of the agreement (e.g. WP29 “will examine whether the (Privacy Shield) provisions respect the powers of Data Protection Authorities as laid down in Article 28 of Directive 95/46/EC”).  Roughly translated into English, this means that “WP29 wants to be satisfied that there is a valid mechanism to sort out any data protection issue before it approves the Privacy Shield as adequate”.

Accordingly, “the WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February”. This can be translated as:  “WP29 does not trust the politicians to get the detail right; WP29 gives you four weeks to provide the details”.

In the meantime “EU Data Protection Authorities will therefore deal with related cases and complaints on a case-by-case basis” (Translation: a Data Protection Authority “reserves the right to enforce its national data protection legislation where transfers do not use the alternatives to Safe Harbor”).

There is also a sting in the WP29 tail arising from another aspect of the Schrems decision (see references).  In summary, in Schrems, the CJEU criticised the absence of any “due process” when the USA’s national security agencies gained access to personal data in Safe Harbor.

This criticism applies to any transfer of personal data to the USA, a fact that has been picked up by the WP29.  Its press statement states that once the WP29 has assessed Privacy Shield documents “the WP29 will consider whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S”.(my emphasis).

This emphasised comment explains the headline about WP29’s new muscle on display. Prior to Schrems, WP29 documentations were largely left unread except by the cognoscenti; however, post Schrems (and the morphing of WP29 into a European Data Protection Board of the Regulation), such documentation is a must read.

It can be seen that the implied threat to transfers is very clear; if Privacy Shield documents do not pass muster in relation to adequacy, then other arrangements for transfers to the USA (Contract Clauses, BCRs) could be in trouble.

Of course, there is a long way to go before any decision like this is made; WP29 showing that it has muscle is not the same as WP29 using that muscle.

However, it explains why I said at the beginning of this blog, that some contingency thinking (if needed) might not go amiss.


Understanding Safe Harbor, Schrems v Facebook in less than 300 words:

CJEU Case C‑362/14: Maximillian Schrems v Data Protection Commissioner; 6 October 2015

Secretary of Commerce Penny Pritzker press statement

WP29 views: (PDF)

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Bootnote Since the publication of this story, the European Data Protection Supervisor has issued an opinion stating his concern over the current wording, which his office says opens the possibility of having bulk transfers of sensitive data between the US and an EU member state.

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022