Early in 2016, the EU-U.S. Privacy Shield started a new chapter in the history of EU-US data exchange. When the European Court of Justice declared the International Safe Harbor Privacy Principles invalid on October 6th 2015 (based on Case C-362/14), privacy and data protection issues rapidly gained attention in the press and with the wider public. Shortly after, plans for the successor to Safe Harbor would see the light of day.
To be on the safe side, EU and US companies alike need to make sure the sensitive or personal data they collect and keep is well secured. End-to-end encryption, starting as close as possible to the source of this data, is the key. This is the only way to prevent unauthorized and unwanted access. And this is regardless of data transfers, storage locations (within EU borders, in the US or elsewhere) and applicable local laws and regulations.
Hardware Security Modules (HSMs) and hardware encryption without backdoors prevent unwanted access to a company’s sensitive data. As an illustration, Utimaco HSMs are particularly suited for:
HSMs protect data even in the case of a system breach. Whether it is initiated by cyber criminals or a public authority’s mass surveillance initiative.
After long, intense negotiations, the European Commission and the US Government agreed on a new framework regarding transatlantic data transfers: The EU-U.S. Privacy Shield saw the light of day. It provides a “mechanism [for companies] to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce”. On July 12th 2016, the EC formally adopted the Privacy Shield Framework (Commission Implementing Decision (EU) 2016/1250), declaring it adequate to enable data transfers under EU law (see the adequacy decision).
The European Court of Justice had set forth several requirements on October 6th 2015, which the Privacy Shield now considers. These include effective supervision mechanisms with strong oversight, limitations for access to personal data for national security purposes, the handling and resolving of individual complaints as well as an annual joint review of adequacy decisions (MEMO/16/2462, EC Fact Sheet, July 12th 2016).
The EU-U.S. Privacy Shield resides on four pillars:
The US Department of Commerce has been receiving applications from US companies for the Privacy Shield since August 1st 2016. More than 2,400 organizations (status August 2017) are currently listed on the US Department of Commerce Privacy Shield List. This includes familiar companies such as Google, Amazon or Twitter. For a list of Privacy Shield companies, go to https://www.privacyshield.gov/welcome.
Want to learn more about Hardware Security Modules and securely encrypting your data, no matter the storage location? E-mail us at firstname.lastname@example.org.
Want to know more about the transition from Safe Harbor to EU-U.S. Privacy Shield and upcoming challenges? Take a look here below or read our blog post.
To serve global economic purposes and allow for transatlantic data transfers, the Safe Harbor Privacy Principles were initially implemented in July 2000 (Decision 2000/520/EC) after the European Commission (EC) decided that the United States “ensure[s] an adequate level of protection by reason of [its] domestic law or of the international commitments it has entered into” (acc. Article 25(6), Directive 95/46/EC).
Reform of EU Data Protection Directive 95/46/EC
The new EU data protection framework, also referred to as the General Data Protection Regulation (GDPR), has been discussed and negotiated by the European Council, Parliament and Commission for roughly four years. It was finally adopted on April 14th 2016. Regulation 2016/679 will go into effect as of May 25th 2018 and repeal Directive 95/46/EC, in place since 1995. Directive 2016/680 shall be transposed into EU Member States’ national law by May 6th 2018.
Two key players influenced what happened next: Edward Snowden, an American whistleblower and Maximillian Schrems, an Austrian privacy activist who filed a legal complaint against Facebook Ireland. According to the transcript of Case C-362/14, Mr. Schrems contended that the laws and practices in force in the United States do “not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by […] public authorities”. On these grounds, the Court (Grand Chamber) ruled Decision 2000/520/EC, i.e. the Safe Harbor Decision, invalid on October 6th 2015. After long negotiations, on July 12th 2016, the EC adopted the Privacy Shield Framework. They had declared it is adequate to enable data transfers under EU law.
Both US and EU companies as well as public authorities and entities have an interest in continued transatlantic commerce and data exchange. EU citizens might criticize the inadequacy of this agreement and consequences for data privacy. But they also profit from it when it comes to using Social Media or international online shopping.
What is worth mentioning, however, is that aside from Privacy Shield, there are alternative mechanisms which enable data transfer from within the EU to non-EU countries, e.g. the EU Model Contracts with Standard Contractual Clauses and Binding Corporate Rules.
Ongoing discussions and criticisms surround the EU-U.S. Privacy Shield. These come e.g. from the Article 29 Working Party and the Digital Rights Ireland data protection organization. They illustrate how transatlantic data transfer is not yet secure, which leaves us curious as to the evolution and final outcome.
At the beginning of 2017 we learnt that the “America first” initiative as outlined by the new US president Donald Trump seems to target some essential achievements of the transatlantic cooperation, such as data protection and privacy.
The first joint annual review of the Privacy Shield took place in September 2017 in the US. It represents a milestone to check the proficiency of day-to-day operation and to identify potential shortcomings.
Finally, a number of changes are also ahead or ongoing to ensure compliance of the Privacy Shield with the new GDPR that will apply as of May 2018.
Companies are thus well advised to stay up to date with upcoming requirements and deadlines from either side. And in the meanwhile, they should have mechanisms in place to fully secure the data they handle.