privacy shield (aka) safe harbor UPDATE Privacy Shield / Digital Watchdog Unleashed Against US Tech Giants

[SURbit]

UPDATED: Privacy Shield AKA SAFE HARBOR - see bottom of this OP

Digital Watchdog Unleashed Against US Tech Giants

Continuing the EU’s assault on US tech giants, Isabelle Falque-Pierrotin of France has assumed the role of pitbull in the digital arena where Margrethe Vestager of Denmark, once dogged the American behemoths on monopolistic grounds. Unlike EU cyber sleuth Vestager, Falque-Pierrotin is charged with monitoring how firms such as Facebook and Google handle the billions of digital bits of personal data routinely collected on Europeans by US companies, and has been at it for nearly five years.

 

 

 

 

 

 

Enjoying the empowerment of Europe’s highest court, her attempts to throttle the US tech titans will come into sharper focus soon, as the EU grapples with methods to turn the tide against the companies’ practices regarding data transfers. Rebuking them, she said,

 

“American companies do not have an immediate right to collect data on our citizens. If they are on our soil, then they need to live with the consequences.”

Terse language like this seems only to embolden the US firms, and validates their belief that they are being targeted by the EU simply for being foreign firms – specifically American ones.

 

The impetus for Falque- Pierrotin’s renewed scrutiny is the expiration this fall of the 15-year-old “safe harbor” pact which had allowed companies to move information freely between the United States and Europe, and the recent EU judges’ ruling that European data is not adequately protected when transferred to the US. As a result, Europe and the US are at an impasse regarding how American intelligence agencies monitor Europeans’ digital profiles. The stakes in this fractious fracas are large, as many US companies such as General Electric and Pfizer, representing billions of dollars of trade between two of the world’s largest economies, routinely move customer and employee data between regions and continents.

 

But the likely monetary outcome is greatest among tech firms such as Google and Facebook, whose ad revenues are dependent on the free flow of the valuable information from social media posts, search questions, and online purchases. This movement is easier in the laid-back, free-wheeling economy of the US, as opposed to the more buttoned- down atmosphere in Europe. By virtue of her position, Falque-Pierrotin is in the driver’s seat. She and Europe’s other privacy watchdogs can decide whether any new agreement meets Europe’s more stringent standards. If the American companies don’t play ball, she could impose further restrictions on how data is transferred across the Atlantic.

 

Google, for one, finds itself in the uncomfortable spot of being in European regulators’ crosshairs yet again. It will probably be fined as an outgrowth of the notorious “right to be forgotten” ruling, but the potential pittance it will pay for misinterpreting that decree will pale in comparison to the financial fallout of a negative digital privacy rap. At present, they are tussling over the former matter, with Google maintaining that it should only erase links in the French domain, while Europe argues that links should be removed across the board worldwide. It would seem, however, that Ms. Falque- Pierrotin is holding the high hand in this high-stakes poker game.

 

The US Commerce Department, while backing its member firms, contends that they have yielded to Europe’s privacy concerns. Bruce Andrews, the deputy secretary said,

“We’ve agreed to make major changes. The U.S. takes individuals’ privacy very seriously.”

 

But Falque-Pierrotin remains unmoved, which is a tenuous situation for the US as she could impose grave sanctions against American companies. When asked to comment on the status of the relationship with the giant across the pond, she said,

“Does the US provide sufficient privacy guarantees? Until now, the answer is no.”

This is not what the US wants to hear at a time when some of its biggest and most profitable firms are under the gun and operating with little leverage.

SOURCE

=========================================================================

=========================================================================

=========================================================================

UPDATE: Privacy Shield AKA SAFE HARBOR 02-03-2016

 

Goodbye Safe Harbor, hello Privacy Shield: that's the name given by European Union and U.S. negotiators to the deal they struck on Tuesday enabling legal transfers of personal data between the two regions.

 

The EU-US Privacy Shield "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses," the European Commission said in a statement announcing the agreement.

 

Reactions were mixed, however, with some arguing the new framework fails to protect the privacy of European citizens. NSA whistleblower Edward Snowden was among the critics.

 

Designed to replace the Safe Harbor agreement that was struck down in October, the new deal imposes stronger obligations on U.S. companies to protect the personal data of European citizens. It also calls for stronger monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission, both of which will cooperate with European data-protection authorities to address any complaints by EU citizens. A dedicated new ombudsman will help oversee complaints and enquiries as well.

 

Finally, there will be a joint annual review focused on monitoring and ensuring that commitments are upheld.

 

"The EU and the United States are the closest allies," said Andrus Ansip, vice president of the EC in charge of Digital Single Market, in a press conference on Tuesday. "On a topic as important as this, we had to find common solutions. I believe this new arrangement is what Europe needs -- both our citizens and our businesses will benefit from this."

 

U.S. Commerce Secretary Penny Pritzker was similarly optimistic. 

 

"It's been a long road, but we've turned the corner and now we stand together," Pritzker said during a press call on Tuesday. "This will allow the digital economy in both the EU and the U.S. to continue to grow."

 

As part of the agreement, the Commerce Department will ensure that U.S. companies publish their commitments to protect Europeans' privacy, making them enforceable under U.S. law by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

 

Meanwhile, the U.S. has given the EU written assurances for the first time that data access for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred inside its borders. The annual joint review will include the issue of national security access, with participation by national intelligence experts from the U.S. and European Data Protection Authorities.

 

Coming up next, the EU College of Commissions has mandated Ansip and the European Commissioner for Justice, Consumers and Gender Equality, Vĕra Jourová, to prepare a draft "adequacy decision" in the coming weeks. That, in turn, could then be adopted by the college after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsman.

 

Though it was applauded by the U.S. Direct Marketing Association and Microsoft President and Chief Legal Officer Brad Smith, reactions elsewhere were decidedly less enthusiastic about the new agreement. 

 

"We urgently need a thorough legal appraisal of the safeguards offered by the U.S.," said Sophie in 't Veld, vice president and spokeswoman for data protection for the Alliance of Liberal Democrats in Europe. "The legal status of these safeguards is very unclear. It is highly doubtful that they offer meaningful protection to European citizens."

 

Similarly, "the emperor is trying on a new set of clothes," said Joe McNamee, executive director of European Digital Rights. "Today's announcement means that European citizens and businesses on both sides of the Atlantic face an extended period of uncertainty while waiting for this new stop-gap solution to fail."

 

At least one U.S. company was also skeptical.

 

"European attitudes toward data privacy have not changed, and we suspect it will only be a matter of time before Safe Harbor 2.0 is challenged in court," said Yorgen Edholm, CEO of Accellion. "Ultimately, the practice of trans-Atlantic data transfer will remain controversial as long as there remains a fundamental difference of opinion between the U.S. and the EU on what is more important: national security or data privacy. We don’t believe Safe Harbor 2.0 will end this debate.”

 

Meanwhile, Europe's data protection authorities were meeting on Tuesday, a day before they are scheduled to publish an evaluation on how recent changes in U.S. law affect trans-Atlantic data transfer using alternative legal mechanisms. They will likely also offer an opinion on the Privacy Shield deal.

SOURCE

 

[ UPDATE: 02-04-2016  Below (scroll down page) - a win-win in diplomatic terms, but a lose-win in reality ]

[OrbingStorm]

2 hours ago, SURbit said:

“We’ve agreed to make major changes. The U.S. takes individuals’ privacy very seriously.”

Ahhahhhahhha   .Actions speak louder than words.

[straycat19]

That doesn't mean we will stop collecting data, just means we won't publish it. 

[pc71520]

The U.S. takes individuals’ privacy very seriously.

No further comment...

[SURbit]

"a tenuous situation for the US as she could impose grave sanctions against American companies" - "Google, for one, finds itself in the uncomfortable spot of being in European regulators’ crosshairs yet again. It will probably be fined as an outgrowth of the notorious “right to be forgotten” ruling, but the potential pittance it will pay for misinterpreting that decree will pale in comparison to the financial fallout of a negative digital privacy rap."

 

Until the bottom line is one of privacy and not of profit - then take the money, that's the attention getter to them ! 

[SURbit]

UPDATE: Jan 29, 2016 8:07 AM / No agreement as deadline to replace Safe Harbor nears - (well its actually passed now) !

 

EU and U.S. negotiators are struggling to reach agreement on a new transatlantic data-transfer agreement ahead of a Jan. 31 deadline set by privacy watchdogs

 

Two days from their deadline, U.S. and European Union negotiators still have no replacement for the transatlantic data-transfer agreement overturned last year by the EU's top court.

The original Safe Harbor agreement enabled companies to store and process EU citizens' personal information in the U.S. in compliance with strict European data protection laws, and its invalidation by the Court of Justice of the European Union last October in a case relating to Facebook's activities has called into question the operations of companies large and small.

EU negotiators appear to be pushing for further concessions from their U.S. counterparts as they work on Safe Harbor's replacement, and may be prepared to miss the Jan. 31 deadline imposed by Europe's privacy regulators rather than compromise on their principles.

"Intense negotiations are ongoing. They are constructive but there will not be agreement for any price," spokesman Christian Wigand said Friday at the commission's daily news briefing. "We need an agreement that lives up to the benchmarks set by the Court of Justice."

 

Among the court's requirements was a right to legal redress for EU citizens whose personal data is inappropriately handled by U.S. law enforcers, intelligence agencies and other public bodies after it is transferred to the U.S.

The continued absence of such a right from U.S. law is one of the sticking points for European lawmakers. The U.S. House of Representatives has already approved a text that would satisfy European negotiations, the Judicial Redress Act, but the bill has not yet received Senate approval. On Thursday night the Senate Judiciary Committee gave it their assent, but it has not yet been scheduled for a full vote.

The Safe Harbor data-transfer agreement provided companies with a way to collect the personal information of Europeans and process it legally in the U.S.

European Commission representatives had already begun calling for changes to the agreement in 2013, when Edward Snowden's revelations about the U.S. National Security Agency's activities made it clear that the agreement did not afford data held in the U.S. the same protections as it received in Europe, as required by the 1995 Data Protection Directive.

 

Nevertheless, the invalidation of the agreement by the Court of Justice of the European Union on Oct. 6 came as something of a shock for European businesses. The court had been asked to rule on a much narrower question in a case brought against Ireland's Data Protection Commissioner by Austrian Max Schrems over the commissioner's handling of his complaint against Facebook.

Schrems, a Facebook user, had asked the commissioner to rule that, in the light of the Snowden revelations, Facebook's reliance on the Safe Harbor agreement to process his personal information in the U.S. did not provide the privacy protections required by the 1995 directive.

Facebook has not changed its practices since October, saying that in any case it doesn't rely on the Safe Harbor agreement to justify the legality of its activities.

The directive offers companies other tools to guarantee customers' privacy when transferring their data to the U.S., including model contract terms for use in their dealings with U.S. partners, and binding corporate rules for transfers between subsidiaries of a multinational.

However, there are also questions about whether those tools meet the standards set by the Court of Justice. Europe's data protection authorities will meet on Feb. 2 to finalize a report on the impact of the decision on the other data transfer tools, which they plan to present on Wednesday.

SOURCE

[SURbit]

UPDATED: OP with current information as of 02-03-2016 Privacy Shield: AKA Safe Harbor

UPDATE: 02-04-2016  Below (next comment) - a win-win in diplomatic terms, but a lose-win in reality

[SURbit]

UPDATE: 02-04-2016  SOURCE

News hit Tuesday (Feb. 2) that the U.S. and the European Union had agreed to a deal on data transfers. The deal, according to an initial report from The Wall Street Journal, had the U.S. agreeing to “binding assurances that personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers.” (Read the IDG News Service story here.)

 

I hoped that something had been lost in translation from the Brussels agreement, but apparently that is indeed the gist of the deal. What it means is that the U.S. has promised something that it absolutely can’t deliver.

 

The U.S. negotiators almost certainly knew that. But the EU negotiators had to know it just as well. This is all politics and diplomacy, my friends, where both sides can agree to something that neither side believes, while hoping that their citizens won’t notice.

 

So the EU gets a solemn promise of privacy protections, which its voters want. And the U.S. gets no delays in data transfers, which U.S. companies want — a win-win in diplomatic terms, but a lose-win in reality, though one that the Europeans can stomach. Why? Because the inevitable privacy invasions will happen very quietly.

 

Let’s start with the basics. Even if we assume — which I don’t — that the U.S. can control every tentacle of its military and intelligence operations, it certainly can’t control private businesses, Congress (which would have to pass deals to punish those private businesses, which won’t be happening) or private citizens (some of whom are cyberthieves).

 

Hence, U.S. assurances that “personal information about Europeans wouldn’t be subject to mass surveillance when it is copied to U.S. servers” is simply not something that any government official can honestly promise. Indeed, it’s not something that anyone can promise.

 

For starters, there are no laws (yet) that would prohibit any company from analyzing and mining all data about its customers, as well as anyone who interacts with that company, whether it’s a Web/mobile visit, a call to a call center, a conversation with an employee or anything else.

 

And if there’s nothing to stop corporate employees and private citizens from whatever snooping they want to pursue, although there are laws that make it illegal — assuming any of them realistically think they’ll get caught. And the rules don’t say that the data won’t be sniffed by Americans, but that it simply won’t be sniffed. What if Chinese, Russian or Iranian cyberthieves hit the servers and bring the data back to their corporate backers?

 

But this goes further than that. What kind of data are we talking about? All kinds. Indeed, the Journal story specifically referenced that this deal was intended to address earlier concerns including “Web-browsing habits” and “salary details.”

 

Whoa! Browsing habits? Even if, in some alternative universe, companies like Google and Amazon were somehow convinced to exclude from analysis any activity coming from a European IP address, this deal is about data transfers, with the content ultimately residing on U.S. servers. If someone with access to those servers and that data goes surfing, how can we possibly offer the promise that it won’t be accessed or analyzed by anybody?

 

This has echoes of companies that promise, for example, that payment data won’t go anywhere — until someone remembers that marketing grabbed a full copy and that Sydney dumped a copy onto a thumb drive and worked on it at home over the weekend. And he used the desktop he shared with his teen-aged son, who likes video games that tend to drop viruses.

 

Let’s get back to those U.S. government intelligence agencies. They have been told to look for evidence of terrorist activity wherever they can. We simply can’t label any area of data “unsearchable,” because that’s where bad guys will go.

 

To be more precise, we can certainly say that we won’t look there, but what self-respecting NSA analyst wouldn’t? Both sides know this, but they play the game. In effect, the message is “I am glad you agree to not look at these files. And when you do look at them, make sure you don’t let us catch you.”

 

Steve Hunt, an industry analyst with Hunt Business Intelligence, initially reacted to the news with sarcasm. “That announcement makes me smile. I am actually thrilled about it,” he said. “I finally have a way to protect corporate secrets from government surveillance.” His tongue-in-cheek plan was to throw all sensitive data into a server, label the folder “European personal information” and “they’ll have to bypass.”

 

Hunt, turning serious, said that such an agreement “would require policy and oversight that extends far beyond traditional government reach” and added that it would be “so costly and difficult that it would be practically impossible. It’s a promise without any possible weight behind it.”

 

One of the many problems with such a move is audit efforts, confirming compliance. “Even a self-assessment would be prohibitively expensive and 100% gameable,” Hunt said. “The apparatus required to confirm a deeper audit would be so vast and expensive” as to be unworkable.

 

CIOs must not make these same mistakes. As Americans make greater privacy demands, don’t promise what you can’t deliver. If that’s what you want to do, go join marketing.