EU, U.S. sign data privacy umbrella agreement
An agreement that extends judicial redress protections to individuals living in the EU seeks to address the data-sharing void left when Safe Harbor was invalidated.
The United States and European Union (EU) officials signed an agreement that extends judicial redress protections before U.S. courts to individuals living in the EU.
The new agreement, called the data privacy umbrella, allows cooperation between the U.S. and Europe law enforcement agencies in transferring data in criminal investigations and “for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism.”
The agreement was signed by U.S. Attorney General Loretta Lynch, European Commissioner for Justice Vĕra Jourová, and Dutch Minister for Security and Justice Ard van der Steur. The data privacy umbrella deal was signed in Amsterdam, is the latest attempted legal solution that seeks to address the void created when the Safe Harbor data-sharing agreement was ruled invalid by a Court of Justice of the European Union last October.
In February, the U.S. and EU signed a 'Privacy Shield' agreement replacing Safe Harbor, although that agreement has been viewed as a solution that lacks legal certainty and has been under fierce attack in European courts. Last week, European Data Protection Supervisor (EDPS) Giovanni Buttarelli said last week that the agreement is ineffective and stated that “progress compared to the earlier Safe Harbour Decision is not in itself sufficient.”
Industry professionals warn of the economic consequences that the lack of certainty involving data sharing agreements could create. International Association of Privacy Professionals (IAPP) Vice President of Research and Education Omer Tene said the debate involving these agreements will “cast doubt on the viability of the existing framework and foments an extended period of uncertainty and risk for businesses in the US and EU.”
The latest agreement “could find itself ignored by other countries, regions, and influential geopolitical organizations in favor of a brand new or side-agreement with less stringent privacy and security guidance,” DataGravity CISO Andrew Hay wrote in an email to SCMagazine.com.
Some companies have responded by moving beyond compliance with specific legislative policies and rather adopting more stringent standards. “In this current state of insecurity, many companies are likely to start adopting the Binding Corporate Rules (BCRs) accreditation,” Elodie Downing, vice president, EMEA general counsel, BMC Software, told SCMagazine.com via email. “With this recognition, companies who obtain BCR accreditation are permitted to transfer personal data outside of the EU in a secure manner and in accordance with local laws and regulations.”
A report conducted by Information Technology and Innovation Foundation (ITIF) noted the complexity involved in establishing appropriate regulatory policy. The report stated that many countries have responded to “disruptive competition” by using regulations as a protectionist tool. “More and more firms and industries are realizing they need to move data across national borders in order to serve consumers effectively, the report stated. “Some are supposedly to serve valid public policy reasons, such as to protect privacy, financial oversight, and national security, but in almost all cases the actual motivation, and certainly the effect, is protectionism. These measures restrict the overseas transfer of all or certain types of data, such as personal health data, thereby forcing companies to store data locally within the borders of a country.”“Will laws like these help public industry effectively tackle crime in a digital world or will the greater ripple be that businesses will be crushed under the weight of extraordinary and undue security burden?” asked Hay. “Only time will tell.”