EU-US Safe Harbour agreed - for now

News by Tony Morbin

A last minute agreement on EU-US Safe Harbour transatlantic data transfers has been announced, but civil liberties objections are expected by those who believe initial concerns are not fully addressed.

In a last gasp deal, an agreement has been reached today on US-EU transatlantic data sharing, with European Commission vice president Andrus Ansip announcing that a framework agreement is now in place, “that will ensure the right checks and balances for our citizens”.

The move follows Safe Harbour being declared illegal by the European Court of Justice last October in the wake of the Snowden disclosures that US authorities accessed data on Europeans when it was held in the US, a practice condemned by civil liberties groups. Now US authorities have pledged that the US will avoid “indiscriminate mass surveillance” of EU citizens. And a US ombudsman will follow up on complaints from EU citizens made via European data protection agencies (DPAs).  Civil Liberties Committee chair Claude Moraes (S&D, UK) promised that the European Parliament will play the role of watchdog for citizens over any new Safe Harbour agreement.

However, Max Schrems, the Austrian student who first opposed Safe Harbour, is reported to have said that the changes do not address his fundamental concerns. 

Phil Lee, data protection partner at European law firm Fieldfisher, agrees, saying that the issue is far from resolved. In an email to Lee commented: "Today's announcement will undoubtedly be welcomed by many.  But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces."

Following the agreement, Moraes  expressed his ongoing concerns saying: "The new framework announced by Commissioner Jourová has no written text and my first concern is that it has too much in common with the previous Safe Harbour decision.  The announcement does not indicate any measures which are legally binding on either party, but relies on 'declaration' by the US authorities on their interpretation of the legal situation regarding surveillance by the US intelligence services. Another key concern is that the creation of an Ombudsman... does not seem to be underpinned in the current statement by sufficient legal powers."

He added that it is imperative that a new agreement is quickly developed and the concerns expressed are quickly answered. “Without a stronger legal backing, the proposals announced today could again be challenged by the European Court of Justice. Members of the European Parliament will insist that we have a strong agreement that would survive such a challenge.”

Moraes also expressed concern that there is no actual change in US law, rather the agreement is based on an exchange of letters by an administration which is coming to its end, saying: “This is a shaky situation which needs to be addressed to give us confidence that "Privacy Shield" is something more substantial than is suggested in the initial announcement."

Earlier in the day, when it looked as if the deal would not happen, Mark Thompson, privacy practice leader at KPMG, commented: "Given the fundamentally different cultural views on privacy between the EU and the USA it is not a surprise that there have been challenges getting to a 'Safe Harbor 2.0' solution in the allotted time frame.”

Tomorrow (Wednesday 3 February) DPAs across the EU will say what they think about the new agreement; they are now empowered to investigate agreements previously made by the European Commission.  A draft agreement will then be drawn up in the next few weeks, according to Brussels' justice commissioner, Vera Jourová, to be called The EU-US Privacy Shield.

For now though, the approximately 4,000 companies affected are expected to be relieved that a deal has been struck. 

In the US the Information Technology and Innovation Foundation (ITIF) vice president Daniel Castro said: “We commend US and European negotiators for completing an agreement that avoids disrupting the transatlantic digital economy in the near term by ensuring continuity for the thousands of US and European companies providing services across the two markets. Free flow of data across borders is essential to global trade and commerce, and this renewed agreement marks an important step forward for US-EU cooperation.”

“We hope the new agreement signifies a line of thinking that will shape future EU policy decisions as well. In the United States, this includes further surveillance reform and passing the Judicial Redress Act. In Europe, this means rejecting protectionist measures, such as a European Cloud, and fully embracing the spirit of a digital single market, not just in Europe, but globally.”

Deema Freij, global privacy officer at Intralinks, answers the question whether, following the release of Safe Harbour 2.0, do businesses need to do anything now? “At the moment, businesses have switched – or are switching - to other legal solutions so they are able to transfer personal data to the US – in a bid to avoid any issues with the decision invalidating Safe Harbour 1.0 by the Court of Justice of the European Union (CJEU). 

"Those legal solutions include EU-prescribed Model Clauses. Now, if organisations choose to stay on these model clauses, nothing will change, and they can still use them to support data transfers globally. Model clauses work for all data transfers – not exclusively for transfer of personal data to the U.S. – but they are admin-heavy. Alternatively, they can use Safe Harbour 2.0 as a means of transferring personal data from the European Economic Area (EEA) to the US – and it won't be as much of an administrative burden. Model clauses will still be needed for any other data transfers outside of the EEA, however."

Freij adds: “Data sharing can't be taken for granted any more. Companies and their cloud providers are more responsible than ever for data sovereignty, and this responsibility is only going to increase when the GDPR is adopted, leaving organisations with a two-year time limit to comply. The penalties for wrongdoing are well-publicised and severe for companies which fail to adapt to the new data privacy landscape.”

David Mount, director, security solutions consulting EMEA, Micro Focus notes how problems with previous iterations of Safe Harbour have arisen, specifically relating to the self-certification aspects of the agreement. “Historically, companies have proved their compliance with the agreement by ticking a box stating that the company adheres to the principles of Safe Harbour and has adequate controls in place. There are some fundamental issues with this, since self-certification does not foster trust and transparency – in fact, it does the opposite. It's important to create more transparency around what data is being stored, what can be shared and what the purpose of this is, but levels of trust are always going to be low in a self-regulated environment. It will be interesting to see how negotiations have addressed the arguably conflicting ideas of trust and self-certification, and whether there is any other way to effectively police data sharing when there is so much data and so many parties involved.”

Fundamentally, how an organisation is able to adapt to these legislative changes is largely dependent on how it manages its data says Richard Shaw, senior director, field technical operations, EMEA, MapR. Shaw adds that given the sheer volume of data organisations now generates, "the only way to effectively provide the US authorities with the information they demand in a way that complies with all mandated regulatory requirements, is by automating governance processes around management, control, and analysis of data. Compliance protocols can be embedded into the system, guarding against nefarious intervention by rogue elements. Without this level of management and control over data the task becomes a manual effort, that's simply not fit for purpose.”

Looking at the idea of European or national clouds, Dave Allen, SVP & general counsel at Dyn, says that to only address the problem from a data residence perspective is incomplete at best, and can lead to a false sense of confidence that regulations are being appropriately addressed. Allen comments: “Businesses need to understand that the actual paths data travels are also a very important factor to consider, and in many ways a more complex problem given the constraints that come with the cross-border routing of data across several sovereign states.

“While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open Internet and private networks need to be seriously considered by businesses that rely on the global Internet to serve their customers. In this era of emerging geographic restrictions, having access to traffic patterns in real time, along with geo-location information, provides a much more complete solution to the challenges posed by the EU-US Privacy Shield framework.”

Peter Galvin, senior VP of strategy at Thales e-Security, points out that while the new EU-US Privacy Shield demands stronger obligations, safeguards and transparency of data, leaders should consider that using techniques such as encryption will ensure their information is protected, regardless of its location. "Robust encryption ensures the safety and security of data wherever it is in the world, allowing organisations to leverage cloud-based infrastructures while ensuring the safety of their sensitive data.  Crucial to this encryption process is effective key management. By ensuring they keep their ‘keys' on premise – or by allowing them to ‘bring their own keys' stored safely in a hardware security module (HSM) – organisations hosting protected data in the cloud will be able to take control of their data, no longer needing to worry about external decisions influencing their policies.”

Castro concludes, “Ultimately, the European Commission should reformulate its data protection regulations to replace the “adequacy” standard with a “duty-of-care” provision that requires companies doing business in Europe to be responsible for the actions of their agents and business partners, regardless of where they are located.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews