Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

European Commission presses for unified vision in cloud data protection laws

 

The EC’s Head of Software, Services & Cloud Computing, Pearse O’Donohue, spoke of his frustration with legislative barriers from individual member states around their differing data protection laws.  These variations, in O’Donohue’s view, are thwarting an increased uptake of off-premise cloud technologies.

Speaking at the Datacloud Europe Event in Monaco this week, O’Donohue argued in favour of the proposed EC Digital Single Market. This would, he said, make it easier and cheaper for start ups and enterprises to do business across Europe using cloud services, in turn increasing economic productivity, GDP and job creation.

“We need to ensure providers and users have access to the full European market, and the services are in competition with each other, which leads to greater innovation and lower cost,” said O’Donohue.

However, companies may be prohibited from using certain services or selling their wares to other EC states because of differences in consumer protection laws and data sovereignty issues.  Allied to this, shipping costs can prohibit procurement deals between countries, whilst website blocks are sometimes employed to prevent consumers purchasing goods and services from other member states.

In seeking a freeflow of data, O’Donohue says:  “The biggest single contribution we can make is to remove existing national laws to ensure there is one marketplace…. We seek, other than for legitimate reasons of personal data protection or matters of national security, to remove those barriers. That is a key issue for us if we are to talk about a single digital market”.  

In the UK, whilst the Government presses for deployment of digital services across the public sector, they have a remit to use UK companies governed by various tendering frameworks (like the new RM1058 framework for Technology Services which Amicus ITS is on). These, along with the new Crown Hosting data centres will ringfence UK data to ensure that there is no fallout from sovereignty issues relating to core personal data.    While this may deal with data sovereignty across the EU and in many member states, what impact would this have on the major global providers?

Amicus ITS working with partners can enable the use of global, trusted and recognised brand software platforms while ensuring UK data sovereignty is maintained.

VideoInsigts-SecureVideoCloudData

The Week’s Technology News – 28th November 2014

Coldfinger not goldfinger, as smartphone biometrics not a panacea

Former GCHQ boss, Sir John Adye, has just given evidence about his concerns regarding the unsupervised use of biometrics on smartphones to an audience of British MPs in the Commons Science and Technology Committee.

Adoption of fingerprint technology has taken off most notably with smartphone giant Apple’s iPhone6 and users can now make payments and access services using a fingerprint. However, as the GCHQ security expert who runs his own biometrics company commented:  “I don’t know what happens to my personal data when I use it on a smartphone… there’s no physical supervision of the system (unlike an ATM which a bank oversees)”.  “You need to design security methods… which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end… the bank or whoever it is, who is providing a service to them.”    Apple says it uses the most technologically advanced fingerprint security and puts security and privacy at the core of the “Apple Pay” system.   But Adye also wants more transparency in the way personal information is passed to third parties.  He does not believe users fully read through the notices in the tick box procedures layering complacency, when in the background, the criminal community get ever more clever about seeking ways in.

Another biometrics engineer presenting to the Committee, Ben Fairhead, advised there were various anti-spoofing and other methods to work out whether the finger was real, but acknowledged spurious results got thrown up if for example blood flow to the finger was low, which would reject the verification.  In a twist to the old tales of criminals smuggling a file into prison now we have criminals adding iron filings to fake fingers to mirror the conductivity of human skin.  From the Government’s point of view there will come increasing pressure to demonstrate they have weighed up the increased approval of biometrics in border controls and public services with sufficient measures to safeguard against the risks and possible flaws.
iphone 6

Forget me not
With the ‘right to be forgotten’ now in situ, the European Commission has finally published guidelines to tell search providers how to handle individuals take down requests (first discussed in our blog of 16 May 2014).

Mostly requests synch with what Google has already been doing – and the balance is successfully struck between an individual’s search for privacy against the public’s rights to know something.  One area that has created consternation though in the EU is Google’s tendency to warn both users and site operators when it takes a notice down. This lacks legal basis according to the Commission, when they could be contravening data protection laws.

This was recently experienced by US singer Barbara Streisand, who sought to have some online information taken down, but the ensuing actions actually drew attention to the very issue she was trying to keep secret.

The Commission also wants a level playing field so it applies to all web domains, not just removing them on country centric ones (ie. ‘.co.uk’ or ‘.fr’) and leaving uncensored results on a ‘.com’ page.   This comes at a time when Microsoft’s ‘Forget.me’ has just started reviewing requests through its Bing search engine and using the EU advice as a template, but it remains to be seen if the guidelines can please both sides AND the regulators.
bing-right-to-be-forgotten_thumbnail