EU data protection groups: Fix Privacy Shield or face lawsuit

‘Significant concerns’ over transatlantic data flow deal

European data protection agencies have told authorities to address their “significant concerns” about Privacy Shield, or risk having the deal tested in court.

The Privacy Shield agreement governs transatlantic data flows and is the product of a lengthy wrangle after the Safe Harbor agreement was ruled invalid back in 2014.

Like its predecessor, Privacy Shield has come under fire from privacy campaigners and the Article 29 Working Party (WP29) - the name the merry band of European Union data protection agencies take when working together.

In a bid to garner trust and demonstrate there is more oversight this time around, the European Commission and the US government pledged to review the new deal on an annual basis.

The first such investigation reported in October, concluding that the deal provided an “adequate” level of protection for personal data. It saw the Commission praise even small achievements, while giving a much longer list of areas that needed improvement.

The WP29 has now released its own review of Privacy Shield, which isn't quite so diplomatic, saying that - although it’s better than Safe Harbor, there are still “significant concerns” to be addressed.

The group called on authorities to “restart discussions” and “immediately” develop an action plan to address the concerns - or it would be happy to ask national courts to refer it the Court of Justice of the European Union, which struck Safe Harbor down.

Two of its top priorities are similar to those raised in the official review: filling the vacant posts on the Privacy and Civil Liberties Oversight Board and appointing a permanent ombudsman.

The EU data protection agencies also called for further explanation of the rules of procedure that support the operation of Privacy Shield, including by declassifying information.

This includes details of the exact powers of the ombudsperson mechanism, onward transfers of data and evidence that collection of data for national security purposes isn’t indiscriminate.

While the justice commissioner Věra Jourová has declined to set any deadlines, the WP29 says these concerns need to be resolved by May 25 2018 (for those who haven’t got that date burned into their brains, that’s when the General Data Protection Regulation comes into force).

Further concerns must be addressed “at the latest at the second joint review”, which would be in September.

“In case no remedy is brought to the concerns of the WP29 in the given time frames,” the group continued, “the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”

The group's concerns fall into two main areas: the commercial aspects of the deal and the national security implications for EU citizens.

On the commercial side, the WP29 called for more guidance for companies, details on the handling of HR data and automated decision-making and clarity on available recourse for data subjects.

On the national security side, the group said that, although there is more transparency, there's still room for improvement.

For instance, it said that it “regrets” that the report on Presidential Policy Directive 28 - which says surveillance activities need to safeguard personal information regardless of where the person resides - is still subject to Presidential privilege.

The group also suggested some improvements for US government to take into account as it battles to re-authorise the Foreign Intelligence Surveillance Act, which will expire at the end of the year.

“Instead of authorizing surveillance programs, section 702 [which allows US spies to search communications data] should provide for precise targeting, along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante," the EU data protection bods opined.

Other stories you might like

  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022