Privacy Shield gets green light – for now
Since the invalidation of the Safe Harbour regime in October 2015, organisations have been relying predominantly on European Union (EU) model clauses to govern their EU-US personal data transfers (or binding corporate rules for intra-group transfers).
The Privacy Shield has been drafted to replace Safe Harbour with a view to providing a legally compliant way to transfer personal data to the US. It was adopted on 12 July 2016, after the European Commission issued its “implementing decision”.
Privacy Shield could face future legal challenges
If the European Commission has not taken into account criticisms levelled against the Privacy Shield, it is likely to be used as evidence against it in a future legal challenge.
This is all made more complicated by the recent referral by the Irish Data Protection Commissioner to the Court of Justice of the European Union (CJEU) on the validity of model clauses.
On 8 July 2016, the European Commission published a statement confirming that the Article 31 Committee – which is made up of representatives of all member states – had given their “strong support” to the Privacy Shield, which will govern EU-US data transfers.
The statement makes clear that the Privacy Shield is “fundamentally different from the old Safe Harbour: it imposes clear and strong obligations on companies handling the data, and makes sure that these rules are followed and enforced in practice”.
Criticisms of Privacy Shield
The adoption of the Privacy Shield comes after a number of setbacks, the most recent being the European Data Protection Supervisor echoing the criticisms levelled at the Privacy Shield by the Article 29 Working Party.
The European Parliament passed non-binding resolution, which welcomed the Privacy Shield, but urged the European Commission to continue negotiating with the US government to fully implement the Article 29 Working Party’s recommendations.
Further, the Article 31 Committee initially failed to reach an agreement as to whether the proposed Privacy Shield provided adequate protection for EU-US personal data transfers in a meeting with the European Commission.
The Article 29 Working Party’s opinion on the proposed Privacy Shield was given in April 2016, and was particularly critical.
It raised concerns with a number of provisions, ultimately recommending they are reviewed, revised and in some cases strengthened, to afford better protection for EU citizens whose personal data is being transferred outside of the EU to the US.
Of particular concern were the absence of obligations on organisations to delete data no longer required; bulk collection of personal data by US authorities; and the lack of clarity around the new ombudsperson role – in particular regarding their independence and autonomy, as well as the nature of their role and functions.
The Working Party recommended that the European Commission should amend the draft Privacy Shield to ensure that the level of protection given to EU individuals under it is equivalent to EU law, and the Privacy Shield should be reviewed after the General Data Protection Regulation (GDPR) comes into force from 25 May 2018.
In response to these criticisms, the statement made clear “the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms”.
Accordingly, the statement concludes that “consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice”.
Despite the assurances given in the statement, the final Privacy Shield may be found wanting.
In a statement made on 12 July 2016, Maximilian Schrems – the original challenger of the validity of the Safe Harbour – states his view that “it is little more than an [sic] little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU”.
Schrems has taken aim at model clauses with the recent referral by the Irish Data Protection Commissioner to the CJEU on the validity of Facebook using them to transfer data from Ireland to the US, and it seems likely that he will look to challenge the validity of the Privacy Shield, too.
In terms of next steps, in the US, the US Department of Commerce will start operating the Privacy Shield. Companies will then have the opportunity to review the Privacy Shield framework and update their compliance. Companies will be able to certify with the US Department of Commerce from 1 August 2016.
Organisations should consider moving data centres to EU
Organisations should keep under review the options for EU-US personal data transfers. The CJEU will not decide upon the validity of model clauses for some time.
It would certainly be prudent to consider alternative options to US data transfers, such as moving data centres to the EU, to minimise any adverse fallout of both the almost inevitable legal challenge to the Privacy Shield, and the outcome of the CJEU decision on model clauses.
Privacy Shield will be renewed in 12 months
Additionally, it is important to note that the Privacy Shield is up for renewal in 12 months’ time, which will be dependent on the outcome of a careful review by the European Parliament as to its effectiveness.
Accordingly, the Privacy Shield is unlikely to provide the answer to all of an organisation’s transatlantic transfer woes on its own, but rather should be considered in the mix together with other compliance measures.
Emma Burnett and Ian Stevens are partners at CMS
Privacy Shield gets green light – for now
Since the invalidation of the Safe Harbour regime in October 2015, organisations have been relying predominantly on European Union (EU) model clauses to govern their EU-US personal data transfers (or binding corporate rules for intra-group transfers).
The Privacy Shield has been drafted to replace Safe Harbour with a view to providing a legally compliant way to transfer personal data to the US. It was adopted on 12 July 2016, after the European Commission issued its “implementing decision”.
Privacy Shield could face future legal challenges
If the European Commission has not taken into account criticisms levelled against the Privacy Shield, it is likely to be used as evidence against it in a future legal challenge.
This is all made more complicated by the recent referral by the Irish Data Protection Commissioner to the Court of Justice of the European Union (CJEU) on the validity of model clauses.
On 8 July 2016, the European Commission published a statement confirming that the Article 31 Committee – which is made up of representatives of all member states – had given their “strong support” to the Privacy Shield, which will govern EU-US data transfers.
The statement makes clear that the Privacy Shield is “fundamentally different from the old Safe Harbour: it imposes clear and strong obligations on companies handling the data, and makes sure that these rules are followed and enforced in practice”.
Criticisms of Privacy Shield
The adoption of the Privacy Shield comes after a number of setbacks, the most recent being the European Data Protection Supervisor echoing the criticisms levelled at the Privacy Shield by the Article 29 Working Party.
The European Parliament passed non-binding resolution, which welcomed the Privacy Shield, but urged the European Commission to continue negotiating with the US government to fully implement the Article 29 Working Party’s recommendations.
Further, the Article 31 Committee initially failed to reach an agreement as to whether the proposed Privacy Shield provided adequate protection for EU-US personal data transfers in a meeting with the European Commission.
The Article 29 Working Party’s opinion on the proposed Privacy Shield was given in April 2016, and was particularly critical.
It raised concerns with a number of provisions, ultimately recommending they are reviewed, revised and in some cases strengthened, to afford better protection for EU citizens whose personal data is being transferred outside of the EU to the US.
Of particular concern were the absence of obligations on organisations to delete data no longer required; bulk collection of personal data by US authorities; and the lack of clarity around the new ombudsperson role – in particular regarding their independence and autonomy, as well as the nature of their role and functions.
The Working Party recommended that the European Commission should amend the draft Privacy Shield to ensure that the level of protection given to EU individuals under it is equivalent to EU law, and the Privacy Shield should be reviewed after the General Data Protection Regulation (GDPR) comes into force from 25 May 2018.
In response to these criticisms, the statement made clear “the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms”.
Accordingly, the statement concludes that “consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice”.
Despite the assurances given in the statement, the final Privacy Shield may be found wanting.
In a statement made on 12 July 2016, Maximilian Schrems – the original challenger of the validity of the Safe Harbour – states his view that “it is little more than an [sic] little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU”.
Schrems has taken aim at model clauses with the recent referral by the Irish Data Protection Commissioner to the CJEU on the validity of Facebook using them to transfer data from Ireland to the US, and it seems likely that he will look to challenge the validity of the Privacy Shield, too.
In terms of next steps, in the US, the US Department of Commerce will start operating the Privacy Shield. Companies will then have the opportunity to review the Privacy Shield framework and update their compliance. Companies will be able to certify with the US Department of Commerce from 1 August 2016.
Organisations should consider moving data centres to EU
Organisations should keep under review the options for EU-US personal data transfers. The CJEU will not decide upon the validity of model clauses for some time.
It would certainly be prudent to consider alternative options to US data transfers, such as moving data centres to the EU, to minimise any adverse fallout of both the almost inevitable legal challenge to the Privacy Shield, and the outcome of the CJEU decision on model clauses.
Privacy Shield will be renewed in 12 months
Additionally, it is important to note that the Privacy Shield is up for renewal in 12 months’ time, which will be dependent on the outcome of a careful review by the European Parliament as to its effectiveness.
Accordingly, the Privacy Shield is unlikely to provide the answer to all of an organisation’s transatlantic transfer woes on its own, but rather should be considered in the mix together with other compliance measures.
Emma Burnett and Ian Stevens are partners at CMS
Case study: Rémy Cointreau boosts security and productivity
The nearly 300-year-old drinks group Rémy Cointreau has switched to cloud-based services in an effort to boost business agility, but key to move was finding the right access management system.
Chief technology officer (CTO) Sébastien Huet was tasked with finding a way to enable mobile workers to use up to 20 different web and cloud-based applications and services easily and securely.
“Essentially, it was about aligning IT to the way the business was transforming itself to be more agile to take on our much larger competitors, which are up to 10 times bigger,” he told Computer weekly.
Rémy Cointreau has more than $1bn in annual sales, but has only 1,800 employees across its operations in Europe, the US and Asia.
As part of the business transformation, Huet wanted to ensure his team was able to focus on improving and finding services to support the business, rather than spending too much time on managing technology.
“We wanted to make it easier for employees to access applications wherever and on whatever device they needed to and to make the experience the same across all devices. But pushing all the services into the cloud meant we had to ensure that access was secure through proper management and control,” he said.
This meant moving security from the network and the device, said Huet, to the application layer, which has the added benefit of being able to buy consumer grade devices at cheaper prices, and to bring new offices online quickly because all the security is handled in the cloud.
Improving IT productivity with Centrify
Although the company had a single sign-on system in place, it was available only in French and suffered from a number of support barriers.
Adding apps to the system was expensive because many needed additional integration work to enable them to run on the old system.
With an IT team of 50 supporting the worldwide organisation, Rémy Cointreau realised the company needed a system that was easy to use, deploy and maintain.
Forgotten passwords, password resets, account lockouts and reactivations were an ongoing problem for Rémy Cointreau’s IT department, accounting for 30% of all help desk tickets.
With the industry average cost of a help desk call running anywhere from $25 to $30, these calls not only slowed productivity and consumed valuable IT time, they cost the company money.
Prior to Huet’s arrival at Rémy Cointreau a year ago, the company had already identified an identity and access management service from Centrify as a potentially good fit for the company.
After conducting several pilot studies, Huet confirmed the decision to work with Centrify because not only did the product meet Rémy Cointreau’s needs, but as an early adopter of the system, Centrify was able to respond quickly to any new or specific requirements as part of product development.
The Centrify Identity Service (CIS) is designed to protect against credentials being compromised, which is one of the main techniques used by attackers to access networks and steal data.
The system is aimed at securing internal and external users, as well as its privileged accounts. It provides single sign-on, multi-factor authentication, mobile and Mac management, privileged access security and session monitoring.
“We have many cloud apps from many different suppliers and Centrify provides a portal through which users can get access to all those applications with a click or tap, from any device,” said Huet.
“In effect, Centrify ties all the apps together and gives them the feel of one large, unified system, which has resulted in good user experience and positive feedback,” he said. “It has changed the perception of an IT service inside the company.”
Centrify has changed the perception of an IT service inside the company Sébastien Huet, Rémy Cointreau
Since implementing Centrify’s identify service, Rémy Cointreau has simplified the onboarding of employees and driven increases in productivity.
“New employees are productive more quickly after joining the company than in the past and existing employees are more efficient as well,” said Huet.
“In the past, it was fairly difficult and time consuming to add new users, but now employees can simply select the services they need from a central online portal,” he said.
The company is also using Centrify’s enterprise mobility management system, which is part of CIS. By consolidating identity management in one place, Huet said Rémy is able to alleviate pressure on IT with one less product to manage, saving the company the cost of a separate security system.
Rémy Cointreau also plans to implement multi-factor authentication for all employees by then end of 2016, not just administators, to derive even greater security benefit from CIS.
Case study: Rémy Cointreau boosts security and productivity
The nearly 300-year-old drinks group Rémy Cointreau has switched to cloud-based services in an effort to boost business agility, but key to move was finding the right access management system.
Chief technology officer (CTO) Sébastien Huet was tasked with finding a way to enable mobile workers to use up to 20 different web and cloud-based applications and services easily and securely.
“Essentially, it was about aligning IT to the way the business was transforming itself to be more agile to take on our much larger competitors, which are up to 10 times bigger,” he told Computer weekly.
Rémy Cointreau has more than $1bn in annual sales, but has only 1,800 employees across its operations in Europe, the US and Asia.
As part of the business transformation, Huet wanted to ensure his team was able to focus on improving and finding services to support the business, rather than spending too much time on managing technology.
“We wanted to make it easier for employees to access applications wherever and on whatever device they needed to and to make the experience the same across all devices. But pushing all the services into the cloud meant we had to ensure that access was secure through proper management and control,” he said.
This meant moving security from the network and the device, said Huet, to the application layer, which has the added benefit of being able to buy consumer grade devices at cheaper prices, and to bring new offices online quickly because all the security is handled in the cloud.
Improving IT productivity with Centrify
Although the company had a single sign-on system in place, it was available only in French and suffered from a number of support barriers.
Adding apps to the system was expensive because many needed additional integration work to enable them to run on the old system.
With an IT team of 50 supporting the worldwide organisation, Rémy Cointreau realised the company needed a system that was easy to use, deploy and maintain.
Forgotten passwords, password resets, account lockouts and reactivations were an ongoing problem for Rémy Cointreau’s IT department, accounting for 30% of all help desk tickets.
With the industry average cost of a help desk call running anywhere from $25 to $30, these calls not only slowed productivity and consumed valuable IT time, they cost the company money.
Prior to Huet’s arrival at Rémy Cointreau a year ago, the company had already identified an identity and access management service from Centrify as a potentially good fit for the company.
After conducting several pilot studies, Huet confirmed the decision to work with Centrify because not only did the product meet Rémy Cointreau’s needs, but as an early adopter of the system, Centrify was able to respond quickly to any new or specific requirements as part of product development.
The Centrify Identity Service (CIS) is designed to protect against credentials being compromised, which is one of the main techniques used by attackers to access networks and steal data.
The system is aimed at securing internal and external users, as well as its privileged accounts. It provides single sign-on, multi-factor authentication, mobile and Mac management, privileged access security and session monitoring.
“We have many cloud apps from many different suppliers and Centrify provides a portal through which users can get access to all those applications with a click or tap, from any device,” said Huet.
“In effect, Centrify ties all the apps together and gives them the feel of one large, unified system, which has resulted in good user experience and positive feedback,” he said. “It has changed the perception of an IT service inside the company.”
Centrify has changed the perception of an IT service inside the company Sébastien Huet, Rémy Cointreau
Since implementing Centrify’s identify service, Rémy Cointreau has simplified the onboarding of employees and driven increases in productivity.
“New employees are productive more quickly after joining the company than in the past and existing employees are more efficient as well,” said Huet.
“In the past, it was fairly difficult and time consuming to add new users, but now employees can simply select the services they need from a central online portal,” he said.
The company is also using Centrify’s enterprise mobility management system, which is part of CIS. By consolidating identity management in one place, Huet said Rémy is able to alleviate pressure on IT with one less product to manage, saving the company the cost of a separate security system.
Rémy Cointreau also plans to implement multi-factor authentication for all employees by then end of 2016, not just administators, to derive even greater security benefit from CIS.
Inscription à :
Commentaires (Atom)