Grab your popcorn: The first annual Privacy Shield review is go

Trump administration’s views on privacy to come under scrutiny

Transatlantic data-transfer agreement Privacy Shield is facing its first major political hurdle as the inaugural joint review kicks off this week.

Agreed last summer, the deal between the European Union and the US aims to safeguard EU citizens' data when it is transferred across the pond.

The two-day review, launched today by EU justice commissioner Věra Jourová and US secretary of commerce Wilbur Ross, will assess whether the Privacy Shield agreement is working as it should. Although the review body will make recommendations for improvements, it is not expected to result in any major renegotiations.

The framework emerged from the ashes of the failed Safe Harbour agreement – which was ruled invalid as a result of Max Schrems' case against Facebook's data slurping – and has not had an easy start to life.

For one thing, it was facing legal challenges almost immediately – one from advocacy group Digital Rights Ireland, another as follow-up to Schrems' original case – while the change in the US administration poured more uncertainty into the mix.

Questions were also raised over whether president Donald Trump's executive orders on immigration, which limited citizens' privacy rights, undermined Privacy Shield.

A statement from Jourová after today's meeting with Ross indicated these concerns would be on the table, and that some reassurances had been made already.

"I am glad to be reassured that America First doesn't mean America only," she said. "EU-US Privacy Shield is an example where both sides can benefit, if it is implemented correctly and if we build trust.

"I'm also pleased that Secretary Ross understands the importance of data privacy in transatlantic relations. Transfer of data underpins our huge trade relations and is bread and butter for many European and American companies."

The review will also look at the role of US ombudsman for Privacy Shield. Rather than being formally filled, the role defaulted down a few layers to Judy Garber, the acting assistant secretary in the Bureau of Oceans and International Environmental and Scientific Affairs.

Jourová told the FT: "We are patient but cannot be patient forever... We will ask when we can expect the fully fledged heads of these important offices to be put in place."

Another issue will be how much the agreement is used in practice. Although 2,400 firms have signed up to the pact – a self-certification made to the US Department of Commerce – Kathryn Wynn, partner at Pinsent Masons, said that there wasn’t much evidence it was being relied on.

"There's not that many examples of it actually being used," she said, adding that anecdotally there was some nervousness around relying on Privacy Shield.

Wynn put this down to both the travel bans imposed by the new administration and the ongoing legal challenges, which might be "putting people off", in case the deal is rendered partly or wholly invalid in a year's time. She said the review might need to address any lack of confidence in the scheme.

Omer Tene, vice-president of research and education at the International Association of Privacy Professionals, agreed the review needs to look at how Privacy Shield is working in reality.

"The EU will no doubt take a hard and close look at the deployment of Privacy Shield on the ground, including not only adherence by companies and oversight by the FTC, but also checks on government surveillance under the new US administration," Tene said.

The joint report is expected to land in the second half of October, but that might not be the end of things from the European side.

The EU's Article 29 Working Party of the member states' data protection authorities has made no secret of its concerns about the agreement, but gave it a year to bed in, promising to hold off on a legal challenge until the review.

In a June statement setting out what it expected of a joint review, the working party said:

"Subject to the outcome of the joint review and the report of the Commission, the WP29 may also present a separate public report following the joint review and an updated assessment of the Privacy Shield in a separate statement based on the findings presented to the plenary by the review team of the working party." ®

Broader topics

Other stories you might like

  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading
  • Cloud security unicorn cuts 20% of staff after raising $1.3b
    Time to play blame bingo: Markets? Profits? Too much growth? Russia? Space aliens?

    Cloud security company Lacework has laid off 20 percent of its employees, just months after two record-breaking funding rounds pushed its valuation to $8.3 billion.

    A spokesperson wouldn't confirm the total number of employees affected, though told The Register that the "widely speculated number on Twitter is a significant overestimate."

    The company, as of March, counted more than 1,000 employees, which would push the jobs lost above 200. And the widely reported number on Twitter is about 300 employees. The biz, based in Silicon Valley, was founded in 2015.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading

Biting the hand that feeds IT © 1998–2022