Data processors find themselves caught between emerging EU law and US demands
On October 6, 2015 an essential legal prop for the movement of global data, Safe Harbour, suddenly appeared to crumble overnight. In a judgment on a legal case brought by Austrian citizen Maximilian Schrems against Facebook, the European Court of Justice (ECJ) ruled that an agreement that had been the foundation of data certainty since the year 2000 no longer offered the guarantees necessary to prevent surveillance by US intelligence services.
To privacy campaigners, Schrems will go down as the man who brought down a rotten system but in truth dissatisfaction with the agreement had been palpable since revelations of NSA mass surveillance Edward Snowden emerged in 2013. US companies, including many operating under Safe Harbour, had been complicit in this for years. Safe Harbour was mere paper protection waiting to be blown over.
Even before the judgment, the EU and US have been working on something to patch up data transfer and duly came up with the EU-US Privacy Shield on 2 February. According to the European Commission, the new agreement is an improvement over Safe Harbour on a number of levels.
The EU-US Privacy Shield agreement explained - what is it?
At the moment, a placeholder for an agreement in principle for what will replace Safe Harbour. The details have yet to be published. However, among its broad sweep will be the following new provisions.
- The US Department of Commerce will oversee of how US firms implement the agreement.
- The US has for the first time given the EU a written description of how far it can go in terms of state access to data transferred from the EU and said that won't include mass surveillance.
- EU citizens unhappy about the regime will be able to challenge the Department of Commerce and the Federal Trade Commission (FTC) through their local data commissioner
- US firms will have to comply with orders from EU data commissioners and an ombudsman will be set up to handle complaints
The European Commission and the US Department of Commerce will carry out an annual joint review of the agreement.
How many companies depend on data transfer?
Estimates vary but up to 5,000 used Safe Harbour, including all the big US brands such as Google, Facebook and Twitter. Without such an agreement, a huge chunk of the cloud and Internet sector would be in trouble.
What the European Commission says about the EU-US Privacy Shield
"This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses."
Sign up for CIO Asia eNewsletters.