Since 1st August 2016, the Privacy Shield has formed the legal basis for data sharing between the EU and the USA. The agreement was renewed for the second time on 19th December 2018. The news is barely more than a footnote, given that any other decision would have been a surprise. If the western nations had been incapable of agreeing on compliance with a common level of data protection, the damage would have been significant.
Nevertheless, the path to that point was fraught with difficulties and there are doubts about the agreement’s future. Although its renewal in 2017 went unremarked, the EU parliament started tightening the thumbscrews in 2018. It demanded that the US implement a number of measures by early September 2018 in order to guarantee an acceptable level of protection. These included the nomination of an ombudsperson to handle conflict situations – a measure that had been planned from the outset but not implemented.
The USA complied with this and other demands, because failing to do so would have had the effect of officially suspending the Privacy Shield. But this year it will be interesting to see how long the US administration can continue to try the patience of its suppliers and the EU. The EU, in its latest report, again demands the nomination of a permanent ombudsperson by 28th February, in addition to other measures to improve data protection safeguards. This person should replace the current incumbent, who only holds the position on an interim basis. The appointment is designed to ensure that complaints about access to personal data by US authorities are dealt with correctly. To stay competitive, most US providers have decided to comply with the stricter European data protection rules on a voluntary basis and offer standard agreement clauses to this effect.
In this context, one interesting aspect is the confusing data protection and information security situation around the world – especially as it has changed fundamentally over the last few months.
GDRP and Microsoft set the pace
With the GDPR coming into effect, the pressure on US providers to comply with data protection standards has increased anyway – regardless of the Privacy Shield renewal. But is data protection becoming an export product? That would have been unthinkable just a few years ago and says a lot about the global respect for European legislation. This is a considerable achievement that will have an effect on providers around the world.
Microsoft is now setting the pace in this area. It recently published the six principles it believes international agreements should adhere to.
- Control: Users are provided with simple tools and clear choices to keep full control over their data.
- Transparency: This enables users to always make informed decisions about the provision and use of their data.
- Security: Data is protected with a high level of security and encryption measures.
- Strong legal protection: Microsoft adheres to all applicable data protection laws and supports privacy protection as a fundamental human right.
- No content-related advertising: Microsoft does not use the content of emails, chat reports, files or other personal content for targeted advertising.
- Benefit-based: If user data is collected, it is utilised for the benefit of the user and to improve the service.
This shows that companies do need to agree common standards, especially those whose business is international. And that in turn is a further indication that data protection is no longer a national concern. It is fast becoming a global issue – just like climate protection and other topics.
International law enforcement
However, the other side of the coin is highlighted by a new development in EU legislation. Currently, handing crime-related data over to international authorities is blocked by local laws and a lack of cooperation between the various authorities. The EU wants to change this situation and is currently working on an e-evidence regulation. The EU commission’s goal is to create an alternative to the formal judicial assistance procedures and give the investigating bodies faster access to communication data. The regulation would authorise EU member states’ law enforcement agencies to demand the immediate provision of user data from internet and telecoms providers. These providers could be located in other EU member states as well as in third countries outside the EU. The data they could request includes account, access, transaction and content information. The plan has already generated criticism from German and other ministers. It seems odd that the regulation should be fast-tracked in this way, given that it still exposes service providers to the risk of breaking local laws in other countries.
All this is keeping the data protection debate pretty lively. But the following key principles governing the protection of personal and sensitive data should continue to remain unshakeable.
- Local data storage
Companies would be well-advised to store data in countries with appropriate data protection laws, such as the EU and Switzerland.
- Data processing security and operator shielding
The technical and organisational requirements must comply with the GDPR and have the certifications to prove that they do. In addition, the service provider should not be able to access the customer’s data.
Encrypted data cannot be read by any party.
- Contractual transparency
The security procedures should be defined in a contract and be transparent as well as traceable.
- Need-to-know principle
Each employee only receives the information access they need to do their job.