A vigorous debate over the EU-US Privacy Shield pact has raged on between US and European legislators, courts and privacy regulators throughout the past year. As the discussions finally arrived at a tentative resolution, the unexpected results of the US presidential election may now threaten to upend compromises that have been eked out by the contesting parties.
President-elect Donald J. Trump's numerous attacks against privacy and international cooperation throughout the presidential campaign have prompted concerns from information security professionals on both sides of the Atlantic over the effects the administration will have on international legal issues.
Although European privacy regulators – including the Article 29 Working Group and the Article 31 Working Group – continued to critique the Privacy Shield agreement, the European Commission approved the pact in July. Companies could register for Privacy Shield certification beginning in August.
Many of the most vexing aspects of the international agreement have been decided by the agreement negotiations throughout the summer. The EU has been “hard set” about the requirements needed for US companies to do business in European Union member countries, John Bambenek (left), manager of threat systems at Fidelis Cybersecurity, tells SC Media. “At this point, it's already baked in and doubtful that it would be reopened,” he says.
The self-certification will hold for now “until there is a problem,” says Morey Haber, vice president of technology at BeyondTrust. “When a self-certifying company is found to have been non-compliant with Privacy Shield, some U.S. companies “may lose their entire market share in specific geographies.”
Some pros expressed concern that the new administration's approach may cause insurmountable roadblocks during upcoming regulatory conversations.
A Congressional aide tells SC that he could envision the President-elect rebuffing the EU's data protection concerns about foreign surveillance of Europeans by trying to walk back Privacy Shield.
Bambenek says he expects “privacy will be the loser” when decision points arise during upcoming Privacy Shield negotiations. Trump has signalled that he does not view privacy or international cooperation as priorities, and it will be interesting to note how European regulators and legislators respond to the administration on international issues that require cooperation.
The direction of international legal issues may depend on whether Trump selects cabinet members who prioritise the business opportunities promised by Privacy Shield over the nationalistic America-First sentiments that were expressed during the presidential campaign.
While Trump's campaign comments have given cybersecurity pros ample cause for concern, some have also pointed to developments that give a glimmer of hope. KoolSpan executive chairman Elad Yoran told SC that Trump “seems to be a pragmatic person” who has an interest in maintaining cybersecurity leadership within the U.S. “I would like to see the practical and problem-solving Trump emerge on this issue,” he says.
Yoran (left) says he sees “hypocrisy on both sides of the pond.” The same countries that are now calling for stronger privacy protections are meanwhile enacting laws to allow access of that same information within their country – and “often with less due process,” he says. “There needs to be, in the coming years, a fundamental reckoning of that hypocrisy.”
The U.K.'s exit from the European Union and the unexpected results of the U.S. presidential race have led to a scenario in which international legislation on privacy issues is largely still in flux. The upcoming elections in France and Germany could still impact the EU's influence on data protections and national security legislation.
However, the U.S. is unlikely to take a proactive approach on international legal issues related to either privacy or cybersecurity policy. “I don't think we have a clue as to what is coming,” says Haber. “To me, the administration is a very knee-jerk reactive administration.”
Despite industry professionals' pessimism on EU-US relations, a question remains: Might Brexit pave the way for a data-sharing agreement between the US and UK? The progress on enacting the so-called Snoopers' Charter in the UK – which would require ISPs and telecommunications companies to hold records of subscribers' internet browsing activity – has demonstrated that the incoming administration may have a like-minded ally in the UK.
Haber sees the prospect as unlikely. While the legislation has faced resistance in the UK and criticism in the US, he expects that a formalised data-sharing mandate between the two countries would cause data protection groups to “kick back a lot harder” than they have on the issue.
Despite a lack of legislative momentum enacting solutions to information security internationally, the “inherent paradox” says Yoran, is that many policymakers remain focused on gaining access to information for purposes of anti-terrorism or law enforcement. Meanwhile, the same legislators talk about a need for strong cybersecurity.
Yoran said he has yet to meet a CSO in government or the private sector who was willing to protect their organisation's information with backdoored technology. “Hopefully,” he says, “those voices will be heard.”
*Privacy Shield's adequacy in safeguarding European citizen's privacy is to be discussed on January 12 by the European Parliament's Civil Liberties, Home Affairs and Justice Committee.