Dapro Technologies – July 2020
Privacy Shield is Invalidated, What Now?
In a far reaching decision for GDPR by the European Court of Justice today, the EU-US Privacy Shield has been struck down. The abbreviated text of the decision can be viewed on twitter here, (p3) while the official text published on curia.europa.eu can be found Here starting in section 163.
To summarize the key points, in the view of the European Court of Justice the primacy under which US law enforcement and intelligence agencies gather information on subjects is too broad and not limited to what’s strictly necessary. The full text from the curia site specifically mentions PRISM and UPSTREAM mass surveillance programs as an example of being too broad.
The ruling disputes the proportionality in essence of this type of collection of personal data particularly for non-US persons. It also highlights the problem of judicial recourse for EU citizens, in other words, what about a complaint mechanism if I don’t like how my personal data is being used.
Ombudsman
Privacy shield introduced the role of an ombudsman based in the US for which the State Department website this role is described as
“a position dedicated to facilitating the processing of requests from EU and Swiss individuals relating to national security access to data transmitted from the European Union or Switzerland to the United States”
In today’s ruling by the ECJ, the Ombudsman’s authority is called into question. Specifically, the Ombudsman cannot guarantee independence or enforce legally binding rules on intelligence agencies for example. This is in contrast to EU citizens who can be afforded legally binding protections from their country’s data protection authority and/or the ECJ if their rights have proven to be violated by state surveillance agencies.
Max Schrems
So what does Max Schrems make of the judgement? Unsurprisingly he was critical of the establishment and issued the following statement via his website noyb.eu
“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.”…
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley”
He goes on to criticize the Irish DPC in perceived unnecessary delays and failure to enforce standard contractual clauses SCC’s. Understandably he feels vindicated although it might be a bit early for a victory lap, as we have yet to see what changes come of it all and particularly how social media giants may respond.
What does this all Mean?
Well the good news first is that standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) are still upheld for third country transfers so the world keeps spinning for multi-nationals and their legal departments. But now the bad news, safe harbor and now privacy shield have fallen under the bus and now seems more unlikely than even ever that data protection needs will outweigh US state security needs to an extent where a successor to privacy shield would work. The two terms, data privacy and mass surveillance are diametrically opposed and will remain so.
The options facing the EU and US authorities are now either to accept that
- A derogation for national intelligence agencies is emplaced
- The US ombudsman gets extra enforcement powers which satisfy the ECJ
- Offending Data is somehow not transported or minimally transported between the US and processed within regions much like a data center region for Amazon AWS for example
- Or we remain in limbo until somebody budges and yields to the ECJ
In any scenario, trust is called into question again and hence the working relationship between the US and EU remains under pressure from activists. Both sides put effort into trying to make privacy shield a substantive piece of legislation but the ghosts of Edward Snowdens revelations and Cambridge Analytica are still haunting the data privacy house.
I suspect though that the impasse will be broken but it’s going to need stronger language than what’s in place now.
Read our related article 10 Steps to designing the right data protection program
The ICO Issues data protection guidance for AI, but do we now need an AI solution to implement it?
The ICO has released it's data protection guidelines for building and deploying AI systems. But given the manual burden of implementing some of the suggestions for a complex technology, shouldn't there be support tools from the ICO too?
GDPR | CCPA – 10 Steps to Designing the Right Data Protection Program
In this article I discuss ten steps to build a successful data protection program to comply with GDPR, CCPA and NY Data Shield Acts.
Privacy Shield is Struck Down, What Now?
The EU-US Privacy Shield is ruled invalid, In this post we talk about the details of the ruling by the ECJ and what this means going forward.
Privacy Settings Control Center Form
Interactive Privacy Form Samples [...]
Twelve Steps to Protect Public Sector Organizations from the Latest Security Threats
In a recent report by the Guardian on the NHS data breach last May which saw hundreds of NHS systems in the UK infected by the Wannacry ransomware virus, it’s reported that a £100,000 ransom was paid to unlock systems and that more worryingly, the cost of the breach is still unknown but continues to rise. With the alarming increase in threats to privacy like ransomware and the potential for hefty GDPR non-compliance fines after May 2018, the risks to public sector operations has never been greater. In this 35 minute interactive session, Paul Rogers a cybersecurity expert takes a look at the latest privacy challenges in an easy to understand fashion that will help you formulate a robust plan ahead of the GDPR compliance deadline. We will look at specific threats to industrial control systems, legacy risk, recent case history, examples of good data privacy implementations and a high-level process road map to set direction for your compliance program.
Ten Steps to GDPR Readiness Presentation
In a recent survey conducted for Mazars on Irish Businesses on GDPR readiness, only 16% of businesses had actually mobilized a project to meet the upcoming deadline. While 82% of respondents agreed that meeting requirements would be challenging to extremely challenging. In this 35 minute session, Paul Rogers a compliance expert speaker and fintech business owner, will take a look at the challenges that Irish businesses face when it comes to GDPR and 10 practical steps that stakeholders can do to be ready for the May 2018 deadline. He will look at internal governance, consumer self service models, trans-border data transfers, privacy shield, NIS directives, policy readiness and more. He will also cover common compliance failures and data protection commissioner case history reports which will help you stay clear of trouble.