There comes a time when we heed a certain call
Privacy Shield, the first iteration of which was unveiled in February 2016, replaces the now defunct Safe Harbor. Safe Harbor was ruled invalid last October after the Court of Justice of the European Union declared that the U.S. was failing to meet the EU’s requirements for safeguarding personal data. It seems the U.S. practice of mass surveillance wasn’t sitting well with the Court, and thus EU companies were barred from legally transferring personal data to the U.S., and U.S. companies were technically breaking the law if their data protection policies and controls didn’t meet European privacy standards (which was practically inevitable) but the company was handling EU citizens’ data. The absence of Safe Harbor or a viable alternative created a quagmire for organizations needing or wanting to conduct any form of business across the Atlantic.
The new agreement, once it’s final, ups the ante on Safe Harbor. In addition to more stringent rules about how companies process and for how long they store personal data, the agreement itself will reportedly be reviewed annually by a joint committee. U.S. authorities have said to have “clarified better when bulk collection of data may occur and what distinguishes it from mass surveillance.” No clarification on the clarification was clarified, however, which leaves one wondering whether U.S authorities like the NSA and FBI have signed up for Privacy Shield themselves.
The self-certification process is also an interesting question, given that mass surveillance of private companies’ data isn’t always a transparent process. It’s what has the likes of Apple and Microsoft visiting Capitol Hill every now and again, fighting for end-to-end encryption which prevents even them from accessing users’ data. As part of Privacy Shield, the U.S. Department of Commerce will have the responsibility of ensuring companies are meeting the data protection requirements of the framework. As an independent body, a system of checks and balances is theoretically in place, but that system certifies only that businesses handling data aren’t skirting the rules, not that governments aren’t. An independent ombudsperson will be assigned to arbitrate when or if a complaint regarding the potential mass surveillance of data is brought to light. Again, the assumption is that all entities involved—on both sides of the ocean—are playing by the rules and don’t deem it necessary to conduct investigations “in the name of national security” that conflict with Privacy Shield’s stipulations. According to a Wall Street Journal article, the U.S. Office of the Director of National Intelligence pledged to abide by the agreement.
When the world must come together as one
Business organizations and the authorities involved in the creation of Privacy Shield are not surprisingly enthusiastic about the agreement’s promises, both in terms of improved data protection and the ease with which companies can conduct business overseas. Privacy advocates, however, have expressed concern, saying the new framework does little more than the old framework to actually enforce higher standards of data protection. One element addressed in Privacy Shield that was noticeably absent from Safe Harbor is the ability for redress should an EU citizen feel his or her data has been mishandled.
European citizens will be given a voice should Privacy Shield come to ultimate fruition later this summer, and, theoretically, U.S. businesses will be adopting more thorough data handling practices. Several major corporations have said they will sign up for Privacy Shield once it’s available, while others are holding out to see where the agreement lands. Better data protection and privacy are undeniably positive; the world is yet to see exactly how this new requirement will impact cybersecurity overall.
More Infosec Articles