Feeds

EU warns United States: SHAPE UP on data protection OR ELSE

Reding: Sort it out soon or Safe Harbor framework is toast

High performance access to file storage

The US has until this summer to fix problems identified in the way an EU-US framework for the transfer of personal data between the regions operates, a senior EU official has said.

Viviane Reding, the EU's Justice Commissioner, said that the EU-US "safe harbour" agreement would be suspended if the US fails to take "legislative action before the summer". The Commissioner said that repairing Safe Harbour is the first step necessary if trust is to be rebuilt in "EU-US data flows" following revelations about the surveillance activities of the US' National Security Agency (NSA) in recent months.

"We must make Safe Harbour safer," Reding said in a speech in Brussels on Wednesday. "The Commission has made 13 concrete recommendations. 13 ways to improve all aspects of the functioning of Safe Harbour.

"Let me put it simply: we kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the US will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended."

The safe harbour framework sets seven principles of data protection broadly equivalent to standards set under the EU Data Protection Directive and allows US companies that adhere to those principles and self-certify compliance with them to transfer personal data from the EU to US.

EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, are deemed by the European Commission to provide adequate protection.

The US has not been designated as providing adequate data protection, but the European Commission and US Department of Commerce negotiated the safe harbour scheme to facilitate personal data transfers between organisations in the EU and US. More than 3,000 US businesses are currently signed up to the framework.

However, following media reports on documents leaked by whilstleblower Edward Snowden about the alleged scope and scale of surveillance activities undertaken by the NSA, and the UK's equivalent GCHQ, the European Commission carried out a review of the safe harbour regime.

The Snowden revelations appeared to show that the NSA could access data held by major US technology companies beyond what was permitted under US legislation, although the NSA has denied that it accesses the information without having legal basis to do so.

Following its review, the Commission in November published a report which cited "deficiencies in transparency and enforcement" in how the safe harbour framework works. The Commission made 13 recommendations that it said would address its concerns.

Among its recommendations, it said the US businesses subject to the agreement should "publish privacy conditions of any contracts they conclude with subcontractors" and facilitate "readily available and affordable" access to alternative dispute resolution for EU citizens so that they can raise and settle complaints they have on privacy issues. The Commission also said that there should a procedure for testing some safe harbour scheme members' privacy policies to ensure "effective compliance".

Earlier this month the US's Federal Trade Commission (FTC) said that it is "a priority" of its to make sure that US companies which claim to be compliant with the safe harbour regime actually are. The FTC reported that it had reached a settlement with 12 companies in connection to charges that their certifications of compliance were out of date.

In her speech Viviane Reding also outlined her vision of a "data protection compact" for the EU. The principles contained in the 'compact' include the agreement of reforms to the existing EU Data Protection Directive that set a "gold standard for the world" on data protection, she said.

The rules should apply equally to both businesses and public sector organisations, be subject to public consultation, ensure that data surveillance activities are proportionate and that law enforcement agencies cannot disregard the rules for national security reasons other than "sparingly", Reding said, amongst making other recommendations.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.