We’ve got a finalized Privacy Shield agreement: What’s new?

More than nine months after the Court of Justice of the European Union struck down Safe Harbor, and five months since the Privacy Shield agreement was first announced, it’s official. Privacy Shield is approved. Organizations seeking to transfer European data to the U.S. will be able to sign up for certification starting August 1, according to U.S. Commerce Secretary Penny Pritzker.

We covered the operational changes in Privacy Shield when the provisional text was released in March, which are contained within Annex II of the Privacy Shield framework and are outlined in a set of Principles. Since then, Privacy Shield has undergone review by the Article 29 Working Party, the European Parliament, the European Data Protection Supervisor, and, finally, the Article 31 Committee. The new text, released today, addresses many of the concerns that were raised on review.

The most significant changes concern the thorny issue of U.S. national security access to European data, which largely don’t affect companies participating in the transfer mechanism. The new Privacy Shield text, for example, contains additional assurances and clarifications around the bulk collection of signals intelligence. For companies seeking to self-certify to Privacy Shield, however, there are several tweaks to the text that are noteworthy. In particular, the latest Shield language clarifies standards around secondary processing, retention periods and onward transfers of personal information.

Greater detail on what counts as compatible secondary processing

To comply with Privacy Shield, an organization may process only personal information that is “relevant for the purposes of processing.” Moreover, “an organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” This language is contained within the Data Integrity and Purpose Limitation Principle.

Critics worried that allowing processing so long as it is “relevant” and not “incompatible” could permit overly broad interpretations and practices. The new Privacy Shield text therefore adds examples of compatible processing activities. What will be considered compatible depends on the circumstances, but may include processing “that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.”

The Commission’s adequacy decision also provides new clarification that these rules around compatible processing interact with the Choice Principle. Thus, “where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out).” This does not mean, however, that an organization can use an opt-out mechanism for incompatible processing.

Privacy Shield adopts a “risk-based approach” to deidentification and data retention

The new text adopts a “risk-based approach” to defining identifiable personal information for the purposes of secondary processing. While a Shield-certified organization may retain personal information “only for as long as it serves a [the original or compatible] purpose of processing,” it may retain the information indefinitely if it is not “in a form identifying or making identifiable the individual.” Whether an individual remains identifiable in a dataset depends on the ability of the organization or any other third party to identify the individual “given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained.”

This risk-based framework notably conflicts with the Article 29 Working Party’s definition of identifiability under the Data Protection Directive, which allowed for essentially zero risk of reidentification.

Full article by





Privacy Shield deal lets US tech firms transfer European customers’ data again

After much delay from surveillance concerns, the EU agreed to Privacy Shield, a new data transfer deal that will affect Facebook, Google and other US tech firms

Governments across the European Union have finally given the green light to a new deal on how consumer data must be transferred with the United States, ending months of delay caused by concern over US surveillance.

Privacy Shield, the new commercial data transfer pact, was provisionally agreed by the EU and the US in February and will come into effect on Tuesday.

The EU’s top court had struck down the previous data transfer agreement, Safe Harbour, on concerns about intrusive US surveillance – leaving companies, including Google, Facebook and MasterCard, in legal limbo.

Representatives of European Union member states mostly voted in favour of the EU-US Privacy Shield, but there were abstentions from Austria, Slovenia, Bulgaria and Croatia, sources said. Austria and Slovenia have voiced concerns that the pact does not go far enough to secure their citizens’ privacy.

The new framework will underpin over $250bn of transatlantic trade in digital services annually by facilitating cross-border data transfers that are crucial to international business.

“Today member states have given their strong support to the EU-US Privacy Shield, the renewed safe framework for transatlantic data flows,” Commission vice-president Andrus Ansip and justice commissioner Vera Jourova said in a statement.

The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to US servers by giving EU citizens greater means to seek redress in case of disputes.

For 15 years Safe Harbour allowed both US and European firms to bypass tough EU data transferral rules by stating they complied with European privacy standards when storing information on US servers.

Cross-border data transfers by businesses include payroll and human resources information as well as lucrative data used for targeted online advertising, which is of particular importance to technology companies.

Industry group DIGITALEUROPE which represents Apple, Google, IBM and others, expressed relief at Friday’s vote, saying it would restore trust in data transfers between the EU and United States. “Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, director general of the group.

TechUK, which represents 900 firms in the UK, described Privacy Shield as a “restoring a stable legal footing”. “The coming months will see much discussion on future options for the UK’s data environment in a post-Brexit world, today’s agreement underlines the importance of data flows to transatlantic trade,” said Charlotte Holloway, the group’s associate director of policy. “We urge policymakers to continue to keep front of mind that data and trade go hand in hand in today’s global economy.”

Brussels and Washington intensified negotiations to hammer out a replacement for Safe Harbour after the Court of Justice of the European Union in October declared it invalid because it did not sufficiently protect Europeans’ data from US snooping.

Revelations three years ago from former US intelligence contractor Edward Snowden of mass US surveillance practices caused political outrage in Europe and stoked mistrust of big US tech companies.

“It (the Privacy Shield) is fundamentally different from the old Safe Harbour: it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice,” Ansip and Jourova said.

The United States will create an ombudsman within the state department to field complaints from EU citizens about US spying and has ruled out indiscriminate mass surveillance of Europeans’ data.

EU data protection authorities in April demanded that the framework be improved, citing concerns with the leeway they said it left for the United States to collect data in bulk.


Brexit: Tech leaders try to paint bright Brexit future

It is probably not controversial to say that the UK tech scene, and in particular London, was very much in the Remain camp in the EU referendum.

Tech entrepreneurs were worried about what Brexit would mean for access to the single market, the confidence of investors and their access to skilled staff from across Europe.

At an event at the Wayra tech incubator in London on the very day of the referendum, a secret ballot showed an overwhelming majority voting to remain.

But now some powerful voices in the tech community are trying to dispel the gloom and paint a brighter picture of the UK’s post-Brexit future as a hi-tech hotspot.

Leading the charge was Rohan Silva, former Number 10 adviser and now the man behind the achingly cool Shoreditch start-up space Second Home.

Writing in the Sunday Times newspaper, he called on his fellow techies to cheer up, roll up their sleeves, and strategise for a profitable future.

His recipe included a big cut in taxes – in particular reducing corporation tax to 10% – and reforming the immigration system by using our expertise in machine-learning and data analytics to make it cheaper and faster.

Some sceptics questioned whether turning the UK into what they described as an offshore tax haven was really the way forward.

And the belief that machine-learning can magically produce an answer to the immigration problem will sound to many like the most naive brand of tech utopianism.

But Mr Silva’s upbeat outlook – if not necessarily his tax-cutting recipe – was endorsed by Baroness Martha Lane Fox, now a director of Twitter and probably the best known person on the UK’s tech scene.

“I’m an optimist – we have huge potential,” she told me. “Let’s use the power of the internet as a force not just for business growth but social cohesion and growth.”

Full article: Rory Cellan-Jones


Referendum result response from ICO

An ICO spokesperson said:

“The Data Protection Act remains the law of the land irrespective of the referendum result.

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”


MPs: Fine companies for cyber security failings and jail data thieves for two years

News: Culture committee wants CEOs’ pay linked to effective cyber security.

A report by the Culture, Media and Sport Committee has recommended fines for companies who fail to guard against cyber attacks, with further recommendations including how the salary of CEOs should be linked to effective cyber security.

The report, which was the result of an inquiry triggered by the high-profile Talk Talk data breach, also pressed the need for companies to have robust strategies and processes in place, stating that it is ‘not enough for companies to say they weren’t aware’ following disclosure of a data breach.

It was also recommended that victims of a data breach should be able to easily access compensation, while the Information Commissioner’s Office (ICO) should also have a system in place to be able to escalate fines at its disposal to sanction those who fail to report, prepare for or learn from data breaches.

The Committee used the Talk Talk data breach as a case in point, using the massive hack as a case study for lessons to be learnt. Jesse Norman MP, Chair of the Committee, said:

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment. Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.

“As the TalkTalk case shows, the reality is that cyber-attacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.”

However, the focus of the report was not just on companies, with those stealing and selling data also in the committee’s firing line. The report recommended for a new custodial sentence of up to two years for those convicted of unlawfully obtaining and selling personal data.

The Snoopers’ Charter, or Investigatory Powers Bill, also made an appearance in the list of recommendations, with the MP’s Committee urgently calling on the government to address vulnerabilities in the massive new data pools created by the IP Bill.

Welcoming the report, Talal Rajab, head of cyber and national security, techUK, said: “Today’s report by the Culture, Media and Sport Committee highlights the importance of good cyber-security practices for businesses of all sizes that have an online presence or service.

“The report rightly recommends that CEOs put cyber-security at the top of their agenda and assign full day to day responsibility of cyber-security to a dedicated professional. Under proposals in the upcoming Investigatory Powers Bill, companies may be required to store large pools of data that are vulnerable to attack. To maintain user confidence in digital services, and the growth of the UK’s digital economy, companies must have appropriate cyber-security policies and processes in place”.

Article by: Eleanor Burns


In “an unusual move,” US government asks to join key EU Facebook privacy case

Decision likely underlines pivotal importance of the case for transatlantic data flows.

The US government has asked to be joined as a party in the Irish High Court case between the Austrian privacy activist and lawyer Max Schrems, and the social network Facebook. In a press release, Schrems called this “an unusual move.”

He told Ars that there are no documents relating to the “amicus curiae”—friend of the court—request yet. “The US government simply appeared via a barrister at the first (administrative) hearing today,” he said. “They will be able to file the documents until the 22nd.”

Schrems speculated that the US government has made this move because it wanted to defend its surveillance laws before the European Courts. “I think this move will be very interesting,” he told Ars. “The US has previously maintained that we all misunderstood US surveillance.”

The Court of Justice of the European Union struck down the Safe Harbour agreement between the EU and the US largely because of fears that personal data sent from the EU to the US would be subject to US surveillance without sufficient safeguards. The latest move seems to be an attempt by the US government to convince European courts that personal data is adequately protected when it is transferred to the US.

But as Schrems notes in his press release, the US government’s bold approach carries risks. “Compared to diplomatic talks with the EU and EU member states, as well as public statements in the United States, it will not be protected by US laws on confidentiality and be placed under oath,” he wrote. “The party that gives evidence on behalf of the US government could therefore face severe consequences, if he does not truthfully answer all questions raised on US mass surveillance.”


Full article by Glyn Moody

What will mandatory DPOs look like under the GDPR? Germany could tell you

One of the biggest game-changers in the new EU General Data Protection Regulation is that it will force many businesses across the bloc to appoint a data protection officer.

So far, countries like the U.K. advise companies who engage in lots of data processing to appoint a DPO, but only one country – Germany – mandates the role. So what better place to look to see how well such systems work?

The German law requiring DPOs came into force in 2001. It was actually quite welcome for many companies, because it’s a largely self-regulatory system that meant they no longer had to make regular filings to data protection authorities whenever they changed their processes.

“The internal DPO within a company is quite a strange cat,” said Freiherr von dem Bussche.

The DPOs are in a curious position, appointed by the board but answerable to the country’s data protection laws, not management. They can’t be blocked from looking into certain processes, and they can’t be fired for doing their jobs. However, they report to the board, telling them what they have to do to be in compliance, and if the company doesn’t follow their advice, they don’t then have to go snitch to the authorities – their job is done.

According to Thomas Spaeing, the CEO of the German Association of Data Protection Officers (BvD), their primary job is not supposed to be about protecting their company, but rather protecting people whose data is processed by the company.

However, not all companies are actually appointing DPOs when they’re supposed to (an obligation on all companies who have more than nine people handling personal data), he said. But this is changing as data protection infects the public consciousness.

“In the last six to eight years, data protection has become very important for the companies, because a lot of things happen [that become] a good story for the newspaper,” Spaeing said. “A lot of companies understood it’s a good thing to have a DPO. It’s like a trust centre for the customer … kind of a competitive advantage.”

Axel Freiherr von dem Bussche, a partner at Taylor Wessing, also said companies have recently started taking the mandate more seriously, particularly after the revelations of Edward Snowden.

“In the beginning, companies were very happy to get rid of their data protection compliance requirements and took anyone who was close enough to the door of the board,” he said. “Everyone was laughing about them; they had no clue. Today, in the post-Snowden world, this role becomes much more serious. You have far more professional, full-time DPOs.”

Full article by