alphaspirit - Fotolia

Privacy Shield to replace Safe Harbor framework

The EU and U.S. agree on Privacy Shield as the replacement for the Safe Harbor framework for transatlantic data flows, though questions remain over privacy protection details.

The European Union and the United States agreed to a new framework for transatlantic data flows, called the EU-U.S. Privacy Shield, replacing the Safe Harbor Framework.

The Privacy Shield agreement allows multinational companies to transfer data while providing citizens with privacy protection, as well as avenues of recourse when they believe their privacy rights are being violated.

The new arrangement "reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015," when the Safe Harbor framework was declared invalid, according a statement from the European Commission (EC). "The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans, and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including through increased cooperation with European Data Protection Authorities."

The new arrangement puts in place three main elements, starting with addressing EU citizens' privacy concerns related to U.S. surveillance practices by mandating safeguards and transparency obligations on the U.S.

"We have for the first time received detailed written assurances from the United States on the safeguards and limitations applicable to U.S. surveillance programs," Andrus Ansip, vice president of the EC, said at a press conference on Tuesday.

"The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the U.S. under the new arrangement," the EC stated. An important part of that is the requirement of "regular monitoring of the functioning of the arrangement." Under Privacy Shield, "there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it."

Privacy Shield also requires that U.S. companies importing personal data from Europe commit to handling that data appropriately, with monitoring and enforcement by the U.S. Department of Commerce. Companies handling human resources data must comply with decisions made by European country data protection authorities.

The third aspect of the new Privacy Shield agreement is that it requires effective protection of EU citizens' right to privacy. Last week's progress of the Judicial Redress Act, which gives foreign citizens the right to sue for damages related to privacy issues, was an important hurdle for reaching agreement. The act is reportedly on a fast track for passage.

"For the first time, EU citizens will benefit from redress mechanisms in the area of national security access," Věra Jourová, EU justice commissioner, said at the press conference, explaining some of the aspects of the way the new agreement protects the rights of EU citizens. "Any citizen who considers that their data has been misused under the new scheme will benefit from several accessible and affordable dispute resolution mechanisms."

For the first time, EU citizens will benefit from redress mechanisms in the area of national security access.
Věra JourováEU justice commissioner

If a privacy complaint is not resolved by the company handling the data, Jourová said "there will be free of charge alternative dispute resolution. Individuals can go to the EU data protection authorities who will work together with the Federal Trade Commission on the U.S. side to ensure that complaints by EU citizens are investigated and resolved." She added that there would be a possibility for redress even in the area of national security to "be handled by an ombudsperson, independent from the U.S. intelligence services."

With the passage of the Judicial Redress Act, Jourová said, "EU citizens will, for the first time, have access to U.S. courts in the context of personal data being used for law enforcement purposes."

The Safe Harbor framework, which had been in place since 2000, was declared invalid last year by the European Court of Justice after Austrian privacy activist Max Schrems successfully brought suit against Facebook for helping the National Security Agency collect personal data in the EU.

"Even with this agreement, companies that wish to rely upon Safe Harbors for EU-to-U.S. data transfers are likely to face some continued uncertainty for the near future," according to Jackie Klosek, counsel in the business law department of law firm Goodwin Procter. First, she said, "the agreement is not expected to be implemented instantly. Secondly, and more concerning, it seems likely that this accord can also face a legal challenge, and, based upon the decision in Schrems, it is not certain that this agreement would be sufficient to pass legal scrutiny."

Speaking at the press conference, Jourová said that in the final stages of negotiations, EU negotiators "used the court decision as a real benchmark, which also guided us to formulate properly the requirements, and to set up this new structure." Acknowledging the threat of new legal complaints and decisions against the new framework, she said that she was "pretty sure" that the new scheme would stand up from a legal point of view.

Privacy Shield issues: Privacy and the cloud

The announcement of the Privacy Shield framework was met by many in the industry with cautious relief. "While we wait for more details on the framework and oversight, we're seeing some skepticism from human rights and privacy organizations -- and rightfully so," said Daren Glenister, field CTO at enterprise software maker Intralinks Inc., based in New York.

"Our survey of global business leaders shows that when it comes to data privacy, the United States is the least-trusted nation, even more so than China and Russia," Glenister said. "There are still hurdles to clear -- first and foremost, the EU court that rendered Safe Harbor invalid last October will need to decide if the Privacy Shield goes far enough. If it does, data transfers to the U.S. will be legal under European law. But U.S. businesses still need to prepare to meet any compliance requirements. In short, the agreement today gives American companies some breathing room -- but doesn't supply the oxygen."

Yorgen Edholm, CEO of Accellion, based in Palo Alto, Calif., was less optimistic about Privacy Shield. "While the creation of a new Safe Harbor agreement for EU-U.S. data transfer may not please both sides entirely, it does enable U.S. businesses to continue operations with European customers without incurring stiff penalties, but also makes some important concessions for European data privacy," he said. "European attitudes toward data privacy have not changed, and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court. Ultimately, the practice of transatlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy."

Privacy Shield will continue to impact cloud management. "Companies and their cloud providers are more responsible than ever for data sovereignty, and this responsibility is only going to increase when new European data privacy rules are adopted, leaving organizations with a two-year time limit to comply," said Deema Freij, global data privacy officer at Intralinks. "The penalties for wrongdoing are well-publicized and severe for companies which fail to adapt to the new data privacy landscape."

"More and more employees are creating, accessing and sharing data across an ever-growing number of cloud apps -- some sanctioned by IT, but many unsanctioned. This can put an organization out of compliance with regulations and subject them to crippling fines, as they often don't know the specific apps their employees are using or where the data stored in those apps reside," said Jamie Barnett, vice president of market data at Netskope, based in Los Altos, Calif.

Rick Orloff, chief security officer of at Minneapolis-based backup software maker Code42, said "the onus to protect customer data must be on companies themselves, something large-scale policy can rarely do in a comprehensive manner." Orloff said, ultimately, the focus on server locations is "irrelevant" when it comes to information security.

"A significant portion of sensitive company information is on the laptops, smartphones and workstations of employees. This movement of data to the edge of the network -- away from the data center -- poses the biggest threat for CIOs and CISOs," Orloff said, adding that to protect data, companies "first need to secure the endpoints in your organization and protect the data residing on them."

While the progress of Privacy Shield is a positive development for enterprises, IT companies and cloud providers, they're fully aware that legal and ethical issues around privacy and data residency will continue to be discussed, debated and challenged. "The demise of Safe Harbor 1.0 signified to companies that it's good to have backup plans and options should one legal route be shut off," Friej said. "At the moment, businesses have switched -- or are switching -- to other legal solutions to be able to transfer personal data to the U.S. from Europe in a bid to avoid any issues with the invalidation of Safe Harbor 1.0 while the details of a replacement are being finalized."

Next Steps

Learn more about EU data protection regulations.

Find out more about the European Cloud Computing Strategy initiative.

Read about the global impact of EU legislation for data protection.

Dig Deeper on Cloud Computing Frameworks and Standards