EU/US Privacyshield: one common goal but 180 degree difference in vision
We are registering the start of this century when social media more or less didn’t exist yet, nobody heard of big data and Edward Snowden was still a young man.
At that time it wasn’t hard to see how the European Union and the USA made a gentlemen’s agreement on the processing of personal information in the USA even though the country offered a privacy protection level nowhere close to becoming adequate according to European privacy laws (data protection directive 95/46/EC) on the promise they would behave themselves and companies could be trusted with a self-certification system on which the American FTC (Federal Trade Commission) would keep a close eye. They called it “safe harbour” which lasted for around 15 years.
(Deze blog is eerder geplaatst op shamrockinfosec.com en met toestemming gebruikt)
Door Drs. Andor Demarteau (Shamrock Information Security)
The adequacy of American data protection hasn’t changed in all these years and with the expected growing protection against unlawful data processing only increasing in the GDPR it will not change in the favour of the American views on privacy anytime soon either.
So why is the privacy shield more a cloak than a protective measure?
So what has changed? Well first of all we have seen the further growth of the internet and, as specially important for this topic, companies that harvest data to make money of it. In particularly I’m referring to internet based advertising companies, social media companies and unfortunately since last year even operating systems vendors that use personal data for profiling and targeted advertising. Some of these even have this as their main business model too.
What has also changed, thanks to Mr. Snwoden, is that we now know that the Americans were hiding something they rather not wanted us to know about the way they are handling personal data of non-US citizens (okay their own citizens as well but that’s beside the point here).
Now fast forward to October 2015, Luxemburg at the offices of the European Court of Justice (ECJ) and the case of Max Schrems vs. Facebook. Now it’s not directly related to the massive data-grabbing business model of Facebook but more to the inadequate protection of personal data against unlawful processing because of the mass surveillance practices by the NSA (National Security Agency) that came to light when Mr. Snowden legged it to Hong Kong and revealed it all to the world (or man + dog as one of my favourite tech-sites would call it).
The upshot of this all laid bare the shortcomings of the safe harbour agreement and the differences in vision between the European and American way of protecting our personal data.
EU/US privacy shield
When this ruling came out last year October great panic broke out within a lot of international companies that, until then, happily send all their data over the big pond under the safety of the safe harbour agreement. Or so some of the media would have us believe.
Fortunately, although more complicated, there are other ways of transferring data to countries outside the European Economic Area, but with the ruling of the ECJ every transfer done according to the safe harbour adequacy decision was now illegal or at least could become so.
A solution obviously needed to be implemented that would do justice to the ECJ ruling, the European data protection viewpoints but also to the American way of handling personal data and their fears they would lose access to a treasure troth of information they deemed vital in their fight against terrorism.
Of course they didn’t start the negotiations the moment the safe harbour agreement was invalidated by the ECJ but the pressure increased on the ongoing negotiations to come with a replacement for the now defunct adequacy agreement sooner rather then later. The pressure was piled on higher when the article 29 working party (all European data protection agencies together) said that they would start enforcing the outcome of the ECJ decision starting February 1st 2016.
Early February 2016, just days after the ultimatum by the article 29 working party expired, the European Commission very proudly released a statement they had reached an agreement with their US counterparts on a new framework of overseas data transfers that would bolster the protection of our (European citizens) data against mass surveillance by American intelligence agencies.
The new name wasn’t Safe Harbour 2.0, although some do call it that, but they came up with the new name of EU/US Privacy Shield.
Cloaking instead of shielding?
The new framework does call for more stringent controls on US companies to comply with EU privacy laws. This would, in theory, get rid of the self-certification and “believe me on my blue eyes” mentality that was prevalent under the safe harbour framework.
It also calls for the creation of an ombudsman within the US government to handle complaints about data protection violations by the same US government sounds very helpful. But as you may have noticed, the new institute would be part of the same organisation it is watching and possibly reprimanding on violations. So much for it’s independent position.
These two facts by themselves may offset each others negative and positive effects and may, if implemented truthfully, even lead to a better protection for European data subjects.
However buried deep in the agreement text there is one more thing that undermines the entire believability of the agreement. Despite all the new protection measures and promises by the US government there are still three broadly formulated reasons for allowing mass surveillance access to European personal data.
The reasons for “generalised access” are defined as:
If the tailored and targeted access is not technically or operationally possible; or if they see some very dangerous trend that needs more than targeted access.
In other words: they will still be using generalised access (mass surveillance) if they can find a reason for it and are allowed to do this as well under the privacy shield agreement.
Privacy campaigner Max Schrems couldn’t have put it better in a tweet on February 29th stating:
They put ten layers of lipstick on a pig but I doubt the Court&DPAs suddenly want to cuddle with it
(text and image copyright by Max Schrems)
This month the article 29 working party has stated that they welcome the improvements the privacy shield bring over the safe harbour agreement, but they also voice their concernes with several elements regarding indiscriminate access to personal data. The full text of their press statement can be read here.
Apart from possible claims, legal battles and an uphill struggle for the privacy shield to really life up to it’s expectation, one other question remains to be answered: who in the end will have more to say on who has access to personal data of European citizens, our own data protection authorities or the American intelligent agencies.
I won’t set my money on either of the parties just yet.
There is one final note I must make on this topic concerning the different views on privacy between Europe and the USA. Americans see privacy as a consumer right not regulated by the government and different per market sector. European citizens however view it as a fundamental human right governed by strict laws and protection similarly applied to all cases and sectors. Although this will certainly not account for the differences in handling mass surveillance data between both parties, it may however indicate why it is such a struggle to come to any agreement that does justice to both legal systems.
5 jaren geleden