Threat Intelligence Blog

Posted June 16, 2016

By Emilio Iasiello and Tobias Losch

The European Union (EU) and the United States (U.S.) are currently engaged in negotiating the “Privacy Shield” agreement that would allow private companies to transfer data outside the EU jurisdiction in order to support the $260 billion of trans-Atlantic commerce that occurs. In February 2016, the European Commission (EC) published the full text of the draft agreement, subsequently replacing the “Safe Harbor” Agreement, which was ultimately invalidated by the European Court of Justice in October 2015.  A major justification for the decision was based on the belief that U.S. companies did not offer the same level of data protection as their European counterparts, especially with regards to not protecting data from broad access by U.S. authorities. Reports about the scope of U.S. surveillance activities in the wake of the Snowden leaks came under consideration as well. As a result, data transfers under Safe Harbor were no longer an option, with companies waiting for a resolution to allow them to send data across the Atlantic without encumbrance.

The new “Privacy Shield” is supposed to address and propose stronger measures related to the privacy considerations that scuttled Safe Harbor, such as lack of an independent data authority and means to redress privacy infringements by government agencies. On paper, it appears that these goals of stronger obligations, more robust monitoring, etc. have been achieved.

According to a fact sheet, this agreement imposes stronger obligations on U.S. companies to protect Europeans’ personal data, and will require the U.S. to more robustly monitor and enforce these terms. The U.S. will also need to cooperate more with European Data Protection Authorities. Under the terms of “Privacy Shield,” the U.S. will provide a written commitment at the Cabinet-level that places limits on the government’s access to personal data for national security purposes. The U.S. is essentially agreeing that it will not engage in “arbitrary” surveillance of EU citizens, and will agree to an annual audit of their activities by EU and U.S. stakeholders.

Despite such promising improvements, activists and several European regulatory bodies remain adamantly skeptical over the new draft and believe that there is little difference between old Safe Harbor provisions and the ones stated in the “Privacy Shield” text. One critical point they highlight is the U.S.’ ability to circumvent bulk data collection as it pertains to six national security considerations: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats including sanctions evasion. These concerns are stipulated in a letter from the general counsel of the Office of the Director of National Intelligence. One prominent Austrian activist who played a pivotal role in getting Safe Harbor denied – by bringing a court case against Facebook for not protecting his data –  likened the letter to a confirmation that the U.S. will violate EU fundamental rights in these six poorly defined areas.

In an attempt to assuage these concerns, the U.S. agreed to establish an independent ombudsman located in the State Department to address complaints arising from incidents of improper access of personal data. However, critics point out that the ombudsman does not have the authority to scrutinize intelligence collection practices, which may ultimately impact any decision the individual may make given that he or she may not be privy to how the information was collected. Confirming that such investigations have been properly conducted may be difficult to do as EU regulators and justice officials may not be granted access to how findings were reached.

Further complicating matters are the changes to U.S. procedural laws that could potentially give the Federal Bureau of Investigation the ability to legally conduct bulk surveillance. In late April 2016, the U.S. Supreme Court approved a controversial change to Federal Rule of Criminal Procedure 41, or Rule 41, giving federal judges the authority to issue more sweeping search warrants for searching and collecting information from computers anywhere. This potential setback comes at a time when the Privacy Shield had already received poor reviews from a European privacy regulatory group.

That is not to say these are the only “sticking points.” Other concerns such as how individuals will be notified of a potential compromise of their information has not been spelled out. While companies have a 45-day window to report back to an EU citizen who has made a complaint, what exactly needs to be reported is unclear.

There are still several steps that must occur before “Privacy Shield” becomes a reality, which is reassuring given that while progress has been made, the agreement may benefit from another pass or two by legislators, particularly with regards to clearer definitions. Additionally, the EU approval process for the agreement includes the endorsement of 28 member states, a non-binding vote by Article 29 Working Party group of data protection officials, and a final decision by the College of Commissioners. And, after all of this, Europe’s high court could still have an opportunity to reject it. The possibility of another scrapped effort is so real that in early March, the U.S. President signed the Judicial Redress Act into law, essentially allowing EU citizens to sue U.S. federal agencies if they believe their rights were violated under the Privacy Act.

The U.S. has made considerable concessions in “Privacy Shield,” but they may not be enough to address the same concerns that rendered Safe Harbor null and void, especially with regards to its bulk data collection for national security reasons. In the European Court of Justice’s decision on Safe Harbor, the Court states,  “national security, public interest, and law enforcement requirements of the United States prevail over the Safe Harbor scheme…” The implication was clear: if you want to do business in Europe, companies and governments will have to act responsibly in safeguarding the data they have been entrusted to keep. This is not to say that the EU does not take into consideration lawful national security surveillance. The EU’s right to privacy includes an exemption for such endeavors; however, the nuance here rests in how such activities are conducted, and for what purpose.

In the end, it is not a bad thing that Safe Harbor was invalidated. The agreement was fifteen years old by the time it made its way to the Court, which in the digital age is already obsolete. As the news continues to expose poor data management practices such as the 2015 Office of Personnel Management and the 2012 DropBox cloud service storage breaches, new concerns have developed with the way data is processed, transmitted, and stored. Agreements like the “Privacy Shield” – that will allow governments and businesses to interact without it being seen as a conflict of interest – need to be periodically reviewed and updated so they remain relevant and up-to-date with current events.

Additional Posts

Weekly Phishing Report: June 20, 2016

PHISHING REPORT: TOP TARGETS Week of June 12 – June 18, 2016 In this week’s phishing report, ...

Weekly Threat Intelligence Brief: June 15, 2016

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...