EU-US Privacy Shield - is this a new Safe Harbour agreement?
Published:
Content Copyright © 2016 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt
The demise of the old Safe Harbour agreement between the US and the UK, allowing the interchange of personal and sensitive data between EU and US datacentres has been causing rising panic as the implications sink in. Now, a January 31st deadline has bitten and some resolution of the issue is appearing; see here, for the official press release.
However, this seems rather unlikely to address the mistrust I see between the world in general and the USA, quite aside from data privacy. It seems to me that the fundamental issue here is that any non-US company is at least a little bit frightened of the possibility of state-sponsored industrial espionage if their sensitive data gets into US jurisdiction. Whether this threat is real or not is moot (perception is all); no one is quite sure what the US spooks are able to do with “our” data in the USA, if they play the terrorism card, regardless of any official statements.
Robert Bond, an IT Law specialist and Partner at Charles Russell Speechlys, poses the question of whether this is more of a privacy shield than a safe harbour here. He points out that “Safe Harbor did not necessarily provide a lawful data transfer mechanism for US companies not governed by the Department of Commerce (such as the Financial Sector)”, and wonders whether the Privacy Shield will do any better.
We shall see, but I think that this is, in essence, a fundamental governance issue for companies trading in the USA, and one that will run and run. If some American company tells you that the Privacy Shield will mean that there’ll soon be no problems sharing any of your data with US sites, I think that you should be very cautious, for now, at least. Of course, if you strongly encrypt anything that might end up in the USA, then you are a bit safer anyway, although the Americans you authorise to read it (if there are none, why is the data in the USA?) could still be an issue.
And, as I anticipated, the discussion isn’t over yet. Robert has just pointed me at this, which is the EU regulators asking for more detail on what Privacy Shield actually does; his further comments are here. Basically, the EU regulators are still insisting on four essential guarantees governing the activity of US spooks as part of any new US framework, and will be examining Privacy Shield accordingly. As I said, this will run and run….
Comments are closed.
I now note that the Article 29 Working Party of EU data protection regulators has not found the EU-US Privacy Shield Framework adequate as currently negotiated. I’m hardly surprised but people such as the Information Technology and Innovation Foundation (ITIF), a technology policy think tank, are certainly upset. In a press release (April 2016), ITIF Vice President Daniel Castro said: “We are disappointed that the Article 29 Working Party has not affirmed the adequacy of the EU-US Privacy Shield Framework negotiated between the European Commission and the U.S. Department of Commerce. The new agreement offers a host of new protections, obligations, and opportunities for redress that affirm the commitment of the U.S. government to safeguard European data and respect the rights of European citizens. Moreover, the agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses, and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbor agreement in the Schrems decision.” He would like the EC to affirm the adequacy of the Privacy Shield Framework anyway; but don’t hold your breath, IMO – the issues aren’t trivial.