Committees: Wait! Don't strap on the Privacy Shield yet

Two working parties, ministers galore... but data transfer law remains in limbo


The revelations by rogue NSA sysadmin Edward Snowden in 2013 caused indignant EU politicians to open a dialogue with the US government to update the data transfer regime to safeguard personal data. The Privacy Shield is the culmination of those discussions.

The US's hands-off approach has always differed from the EU's interventionist approach, particularly when it comes to personal data. According to a German lawyer I interviewed this is partially thought to stem from Cold War snooping by the former East German secret police and by neighbour-on-neighbour snooping. The counter-view in the US is for commerce to be as free from restraint as possible and this is thought to explain the lack of a federal law equivalent to the EU regime.

In some ways, protecting data is the big issue of the moment that is not going away and the new General Data Protection Regulation – due to apply from 2018 – is further evidence of that.

So what is the Privacy Shield then?

The new Privacy Shield is supposed to be the new way to enable data transfers from the European Economic area to the US. It seeks to address a number of the failures highlighted after Safe Harbour was ruled defunct in the Schrems vs Facebook case. In the case, the judge had considered that transfers under Safe Harbour were not safe as the US does not offer "an adequate level of protection" for personal data relating to European data subjects.

As for Privacy Shield, it has a number of facets:

  • Strong obligations: The idea is that there will be greater transparency with stronger sanctions.
  • Safeguards: There is written assurance from the US that there will be clear limitations, safeguards and oversight mechanisms over access to data by public authorities.
  • Monitoring: there will be a joint review by the European Commission and the US Department of Commerce to monitor the functioning of the Privacy Shield and a report will be published.
  • Redress: there will be several avenues of redress, including not just against the company direct but also with engagement by the US Department of Commerce and Federal Trade Commission to ensure complaints are investigated and resolved. A new Privacy Shield Panel can produce .
  • Finally, there will be a data transfer regime that will allow individuals to be certain their data will be protected as well as assurances for EU companies to transfer data without worrying they will be penalised.

But wait – it’s not that simple. Looking behind the rhetoric reveals there is still some way to go.

Working Party criticism

The Article 29 Working Party is composed of representatives of the national EU data protection authorities, the European Data Protection Supervisor and the EU Commission. It is an important body providing input on data protection matters, and has published an opinion (PDF) in which it broadly welcomed the “significant improvements brought by the Privacy Shield compared to the Safe Harbour decision”. At the same time, it levelled a number of criticisms, observing that “some key data protection principles… are not reflected in the draft adequacy decision.”

Specifically, it is not satisfied that there is enough clarity around the principle that data should be used only for particular purposes. Nor is the data retention principle expressly mentioned or dealt with. And there is no specific wording on the protection against decisions derived from automated processing.

The Working Party's criticisms don’t end there - it is also concerned that the new redress mechanism might be too complex and it wants national EU data protection authorities to be considered as the natural point of contact for EU citizens wishing to complain. Nor is it happy with the level of detail from the US Office of the Director of National Intelligence regarding the prevention of “massive and indiscriminate collection of data” that were revealed by Snowden which triggered the collapse of Safe Harbour in the first place. It also wants to see proper independence for the new Ombudsman. Finally, it recognises that the Privacy Shield will have to be reviewed again in 2018 once the GDPR is in force.

Not surprisingly, the EU Commission is currently looking to revise the Privacy Shield to address these criticisms.

Article 31 Committee indecision

The Article 29 Working Party is not the only body involved, there is also the Article 31 committee, which has to give its blessing too. The Article 31 Committee, which like its counterpart was established by that article in the original EU Data Protection Directive, is comprised of representatives from the EU Member States to validate data transfer Adequacy Decisions.

During its recent meeting in May 2016, the Article 31 committee appears not to have reached consensus on the adoption of the Privacy Shield. The EU Commission is hopeful that agreement will be reached by the end of June but perhaps this will depend upon how quickly the Privacy Shield is modified to take into account the criticism by the Working Party.

What next?

This all seems like a mess. The Article 29 Working Party had previously notified the EU that its members, the national EU data protection authorities, would “take all necessary and appropriate actions, which may include coordinated enforcement actions”, if its January 31 deadline was not met for the introduction of the new Safe Harbour.

Despite its criticisms of Privacy Shield, though, it does not appear to have introduced a new deadline or encouraged its members to take action.

The world of data transfers remains in limbo, waiting for the EU Commission to sort itself out. And, ultimately the EU Court of Justice is likely to assess the new regime before too long with Schrems-style litigants bound to be ready to test the new rules.

In the meantime, of course, data transfers will continue. Therefore, to some extent, business is on its own in trying to work out what to do. I recommend data controllers and data processors continue to evaluate and implement appropriate measures to protect data during transfers.

Data controllers should make sure they have adequate safeguards in their contract terms with processors, even if that processor is a large US cloud company which trades on its own terms.

Remember, the data controller is primarily responsible under data protection legislation and will be the first one to be fined if there is a breach. If the standard terms don’t give you enough protection, look elsewhere.

Keeping data inside the UK or EEA seems a bit protectionist but it is ultimately better than getting hit by a large fine, especially with France and Germany rumoured to be looking to apply the new GDPR fines early of up to €20 million or four per cent of global revenue.

Consider using the EU model data protection clauses and, for large multi-national organisations, consider adopting Binding Corporate Rules. Obviously, these are permitted by the current legal framework and may change once Privacy Shield is finalised. But for now, it seems like the best option. ®

Broader topics

Narrower topics


Other stories you might like

  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading

Biting the hand that feeds IT © 1998–2022