Yottabytes: Storage and Disaster Recovery

Jul 29 2016   12:31AM GMT

EU, U.S. Agree On User Data Privacy

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
government
privacy
Security

As you may recall, last fall the European Union got concerned about its citizens’ user data privacy regarding sending data to U.S. companies, because of data security flaws discovered by revelations from Edward Snowden. The European Court of Justice gave the EU and the U.S. till the end of January to come up with a better way to transfer data between themselves.

The good news is, they did. But the bad news is, they got it settled just in time for Brexit – the UK’s exit from the EU – to screw it all up again.

“Privacy Shield”

So here’s the good news. The European Commission, which governs the EU, announced on July 12 that it had adopted the EU-U.S. Data Privacy Shield, which was announced on February 2 and replaces the previous “Safe Harbor” method that was no longer considered adequate. Further modifications were made after one European committee found the additions were also inadequate.

While the whole thing amounts to 44 pages of legalese (and another 104 pages of annexes), the Data Privacy Shield boils down to several new components:

  • The U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to make sure they’re following the rules.
  • The U.S. promises that it won’t perform indiscriminate mass surveillance on the data it gets from EU citizens – and citizens have a method of redress if they think this isn’t being followed.
  • The European Commission and the U.S. Department of Commerce will review the program every year to make sure it’s doing what it’s supposed to.

Without the agreement, more than 4,000 European and U.S. companies wouldn’t have been able to exchange data about each other’s citizens as easily, which could make commerce more difficult. That’s currently worth up to $260 billion, writes Mark Scott in the New York Times.

The next step is for companies to sign up for the self-certification program, which starts August 1, write Maria Camila Tobon and Alfred J. Saikali of the law firm Shook Hardy & Bacon LLP in the legal website Lexology. Google and Microsoft said they would be signing up for the new program; Facebook said it was still thinking about it. (The other, more-cumbersome alternatives to Safe Harbor are still around.) If companies decide to join within two months, they will then have nine months to actually comply; companies that decide after the two months will have to comply right away. Violators can be fined up to 20 million Euro.

Meddlesome Busybody

All that stipulated, the user data privacy legal case that spawned this activity is still going on. Austrian privacy activist Max Schrems sued Facebook to determine whether personal privacy of the data it transfers back to the U.S. is properly protected from U.S. government surveillance, which is what started the whole Safe Harbor issue. In fact, as the Privacy Shield was getting settled, an Irish court was ruling that the U.S. could join Facebook’s case, since the precedent was so significant, writes Padraic Halpin for Reuters.

That ruling was important because it means that the U.S., as well as organizations such as the Electronic Privacy Information Centre, the trade group Business Software Alliance, and the European alliance of Internet companies Digital Europe, can present evidence as an amicus curiae in the case because they have a bona fide interest and are not just a “meddlesome busybody,” The Hill’s Joe Uchill quotes the Irish High Court as saying. (In contrast, the American Civil Liberties Union and the Electronic Frontier Foundation were denied this privilege, he adds.) How long that lawsuit is going to take, nobody is speculating.

And What About Brexit?

The UK may be facing similar issues as the U.S. with its departure from the EU, depending on how the negotiations go that will determine whether it is still considered a European Economic Area, writes Claus Farber in the National Law Review. That process that could take two years, he writes. On the other hand, some see the UK’s departure from the EU as an advantage in that area.

In addition, Canada is concerned that the EU will find its data transfer regulations inadequate as well.

Moreover, some people feel that even the new user data privacy standards still don’t go far enough. “Legal challenges are already being prepared, and the European Court of Justice — the same court that overturned the previous trans-Atlantic data transfer deal — is likely to review the Privacy Shield to see if it meets European standards,” Scott writes. So in a year or two, we may be right back where we started from.

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Philip Virgo
    Meanwhile the rising tide of fraud and impersonation is eroding public trust in the good faith of those who collect and store personal information to exploit for commercial gain:  that $260 billion "business opportunity".
    4,200 pointsBadges:
    report
  • wolfgang2
    What does "the U.S. promises" mean?
    Answer: Nothing. Same situation as before. This is just a ridiculous show to make business earn more money and show a understanding of law like in Russia.
    50 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: