Data processors find themselves caught between emerging EU law and US demands
On October 6, 2015 an essential legal prop for the movement of global data, Safe Harbour, suddenly appeared to crumble overnight. In a judgment on a legal case brought by Austrian citizen Maximilian Schrems against Facebook, the European Court of Justice (ECJ) ruled that an agreement that had been the foundation of data certainty since the year 2000 no longer offered the guarantees necessary to prevent surveillance by US intelligence services.
To privacy campaigners, Schrems will go down as the man who brought down a rotten system but in truth dissatisfaction with the agreement had been palpable since revelations of NSA mass surveillance Edward Snowden emerged in 2013. US companies, including many operating under Safe Harbour, had been complicit in this for years. Safe Harbour was mere paper protection waiting to be blown over.
Even before the judgment, the EU and US have been working on something to patch up data transfer and duly came up with the EU-US Privacy Shield on 2 February. According to the European Commission, the new agreement is an improvement over Safe Harbour on a number of levels.
The EU-US Privacy Shield agreement explained - what is it?
At the moment, a placeholder for an agreement in principle for what will replace Safe Harbour. The details have yet to be published. However, among its broad sweep will be the following new provisions.
- The US Department of Commerce will oversee of how US firms implement the agreement.
- The US has for the first time given the EU a written description of how far it can go in terms of state access to data transferred from the EU and said that won’t include mass surveillance.
- EU citizens unhappy about the regime will be able to challenge the Department of Commerce and the Federal Trade Commission (FTC) through their local data commissioner
- US firms will have to comply with orders from EU data commissioners and an ombudsman will be set up to handle complaints
The European Commission and the US Department of Commerce will carry out an annual joint review of the agreement.
How many companies depend on data transfer?
Estimates vary but up to 5,000 used Safe Harbour, including all the big US brands such as Google, Facebook and Twitter. Without such an agreement, a huge chunk of the cloud and Internet sector would be in trouble.
What the European Commission says about the EU-US Privacy Shield
“This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.”
What consultants think
“A lot of global businesses will be breathing a sigh of relief today as a significant number of them didn’t take action to address the risk of Safe Harbour disappearing. The agreement is good news for companies as a number were clearly going to struggle from a financial and operational point of view with the uncertainty surrounding the movement of personal data.” (Mark Thompson, privacy practice leader, KPMG)
What critics think
The EU-US Privacy Shield is little more than a series of general statements for now, vague on specifics and depending on political buy-in by the US. Those assurances could change with a new US administration. The detail inside the final document will be telling when that is published before the summer. Legal challenges seem inevitable which bodes ill for anyone who wants this to blow over quickly.
The EU-US Privacy Shield agreement explained - what will happen next?
When the detail is published the new agreement will be challenged by privacy groups. This will create some uncertainty. The era of easy data transfers with the US is probably over.
And the EU’s General Data Protection Regulation (GDPR)?
The EU-US Privacy Shield will have to comply with and be consistent with it adding yet another layer of complication and uncertainty.
Adding to the confusion, the US Department of Justice (DOJ) and Microsoft are in the midst of a legal case in which the US authorities want to access to data held on an Irish server regarding a criminal suspect. Microsoft believes that a US search warrant is not valid and the access should be requested via the Irish Government using the Mutual Legal Assistance Treaty (MLAT). If Microsoft is forced to hand over the data by a US court ruling, the EU-US Privacy Shield could look pretty careworn before it’s got going.
What are the alternatives?
In the short term, there are only two possible options. First, processors could use EU datacentres to hold data onshore until such time as a more stable agreement emerges. The alternative is to resort to ‘model contract clauses’, approved procedures between data exporters (in the EU) and importers (in the US), complex and possibly expensive frameworks that make explicit safeguards should they be challenged before the EU-US Privacy Shield becomes stable.
Uncertainty - and fear - sells
Unfortunately, as with the GDPR, some vendors already sense the possibility of doing some good business. Expect a lot of self-interested pitches to be made for encryption, access control, and almost anything that stops shadow IT. European data and cloud processors will also see the likely requirement to use local facilities as a good sales day.