After months of discussions and consultations, last night the EU and US struck a last minute deal on data sharing designed to ensure the safety of EU citizens’ data when transferred across the Atlantic.
The 'Safe Harbour' agreement has been scrapped and replaced with the 'Privacy Shield,' but what's in a name? The attention has now moved from providing US companies a safe harbour for storing EU collected data in the US, to a shield protecting EU citizens from their data being misued in the US.
'For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,' said Europe's justice commissioner V?ra Jourová.
> See also: Evaluating the demise of 'Safe Harbour' – what next for privacy and consent?
'Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.'
But MetricStream senior executive and former Gartner Vice President French Caldwell, who has experience working with the US Whitehouse on issues relating to national and cyber security, sees a number of flaws in the deal and expects further legal challenges.
'National security surveillance is something that all governments with the technical means to do so engage in,' said Caldwell. 'With or without Safe Harbor or its successor, those surveillance programs will continue.'
'The legal definitions of personal data are so antiquated that, even if that data covered under privacy law are protected – that is addresses, driver’s license, tax identification, phone numbers, etc – there is still so much data around people’s movements and online activities that an entire behavioral profile can be built without accessing the PPI that is considered legally protected.'
As Caldwell explains, privacy protections in the US have evolved significantly over the years and, in fact, US laws on data breach protection have begun to be replicated in the EU.
Also, US authorities, in particular the FTC, are aggressive in penalising companies for not following privacy policies – much more aggressive than EU national privacy authorities.
'PPI is essential for e-commerce,' says Caldwell. 'However, despite evidence that US enforcement of privacy law is very aggressive, not allowing it to cross the Atlantic has no real impact on national security surveillance programs, and there are significant new protections for EU citizens in the new agreement, there will be further legal challenges. It is hard to discount emerging populist movements of nationalism and trade protectionism, as underlying motivations.'
US businesses operating in the EU will breathe a sigh of relief with the news of the new agreement, but this gives little assurance to EU customers trusting a US provider with hosting their websites or sensitive data.
'Issues around data legislation have become a focus point following the Snowden revelations of recent years and US government agencies have historically shown little regard for the data rights of other countries' citizens,' said Richard Davies, CEO of cloud company ElasticHosts.
'In an age where concerns over mass surveillance are growing, it will no doubt alarm many website owners and cloud customers to see how little has been done to give assurance of their privacy.'
'The new laws will still not do much to convince customers to have servers with US companies in the EU and for these customers I see them moving their data to non-US providers simply to minimise risk.'
> See also: Five things you need to know about the proposed EU General Data Protection Regulation
Scrutining the new agreement further, Patrick Van Eecke, a partner at law firm DLA Piper, is not sure it will bring the legal comfort companies are looking for.
'As the new agreement will be reviewed on an annual basis, and as local Data Protection Authorities will still have the possibility to prohibit data transfers to the US, it does not bring much needed legal clarification companies are looking for,' he said.
'It will even make them think twice before stepping into the Safe Harbor programme and using this as the long term solid legal basis for EU-US data transfers. Instead, they will probably have to go back to asking for individual consent from each citizen they are collecting data from – an onerous and costly process.'