The “new” Safe Harbour – Shield without protection: On 2 February, the European Commission proudly announced an agreement on the new EU-US Privacy Shield. For now, it is a list of “assurances”, but no document has been seen.
The main points:
- Stronger obligations on US companies to protect Europeans’ personal data: US companies that import and process European personal data have to commit to a set of obligations and guarantee individual rights. How this is to be achieved (self-certification?) and adequately verified is unclear. Companies will be monitored by the US department of commerce, so that it should be enforceable under US law by the Federation Trade Commission (FTC).
- Written assurance by the US: US authorities would only get access for law enforcement or national security reasons subject to safeguards, limitations and oversight. It is questionable whether an assurance is actually enforceable.
- Redress mechanisms: these include a new judicial redress act that will make it possible for EU citizens to bring civil claims to the same extent as US citizens if an agency has breached data protection law. Also, Data Protection Authorities (DPAs) can refer complains to the department of commerce and FTC. Alternative dispute resolution (ADRs) will be free of charge. An ombudsman will be installed to deal with complaints.
Next steps: The Art. 29 Working Party (EU Member States’ DPAs) are expecting to see a text by the end of the month. The Commission has to adopt an “adequacy decision”, for which it needs to seek advice from Art. 29 working party and consult with Member States. Critical voices say that even an “adequacy decision” will be insufficient to comply with the European Court of Justice’s (ECJ) ruling, which upholds the strong role of the DPAs. The 500+ affected companies, in the meantime, have to legitimise data flows through model clauses (i.e. standard contractual clauses and binding corporate rules).
How businesses react: In the meantime, Dropbox announced that it will start hosting data in Germany by the end of 2016.
How governments react: The Financial Times reports that the US and UK started negotiations on a data transfer pact, which would save law enforcement agencies the time of having to go through national judicial departments, which then seek a court order. Instead, companies could directly hand over data (e.g. emails, online chats, etc. of criminal suspects) after being presented a warrant.
Further reading: The Register, Harvard Business Review, European Commission press release, The Economist.
The Apple Case – How privacy could look in the future: Apple has received a US court order obliging it to crack an iPhone used during the December massacre in San Bernardino, US. So far Apple has refused to “hack its own customers”, arguing that such a move would endanger consumer privacy and security and open the door to criminals. Building a version of iOS that bypasses security (i.e. wiping out all data if a wrong password is entered more than 10 times) would be equal to creating a backdoor. Apple has been backed by other IT companies, such as Google, all of which could risk losing customers if built-in backdoors were to become the norm. Yet the case has also fuelled the general debate on how much tech companies should help in the fight against terrorism. US Intelligence Director John Clapper, stated quite clearly how he sees things: “In the future, intelligence services might use the Internet of Things for identification, surveillance, monitoring, location tracking and targeting for recruitment or to gain access to networks or user credentials.”
GDPR – impact on ccTLDs: CENTR is currently analysing how the new EU data protection laws could impact ccTLDs. First results will be presented at the upcoming L&R workshop. In the meantime, read this Privacy and Security Law Report by Bloomberg Law for a comprehensive overview of the main clauses of the General Data Protection Regulation (GDPR) and its implications.
NIS Directive – where do we stand? The final text of the NIS Directive still needs to be adopted by the European Parliament in plenary. Member States then have 21 months to transpose it into national law. Despite the fact that registries are specifically named in the Directive, this does not mean that they are automatically covered by its requirements. It is up to Member States to decide how critical an operator or infrastructure actually is.
Latest available version (18 December 2015)
Overview of each EU institutions’ position
20% of Internet users affected by online security issues: This is the result of a Eurostat survey in 2015. Issues included viruses affecting their devices, abuse of personal information, financial losses, etc. This discouraged almost 20% of respondents from shopping online, using online banking (18%) or using WIFI if it was not their home connection. Most Internet users were affected by such issues in Croatia (42%), Hungary (39%), Portugal (36%), Malta (34%) and France (33%). Least affected were users in the Czech Republic (10%), The Netherlands (11%) and Slovakia (13%). More details
EuroDIG publishes a draft programme: The 150+ topic proposals have now been clustered and allocated to different session slots. CENTR and EuroISPA proposed a technical training workshop to explain how content control measures impact on the different layers of the Internet. The objective is to make this an independent side event in order to set the foundation for an informed debate with stakeholders on content control.
Umbrella Agreement not compliant with EU law: In a recent opinion the European Parliament’s Legal Service said that the EU-US Umbrella agreement, which concerns the transfer of EU data to the US for law enforcement purposes, does not comply with EU primary law and does not respect fundamental rights. Further reading: Euractiv
Are IP addresses “personal information”? The European Court of Justice (ECJ) will be hearing questions from the German federal court on 25 February 2016. Stay tuned!
Erika Mann, former German MEP and current ICANN board member, has joined the law firm Covington and Burling in Brussels.