New security measures to protect EU data flows to the US

Updated to include perspective from Stephen Cobb, ESET senior security researcher.

Officials from the European Commission and the US have announced agreement on a new ‘Safe Harbor’ arrangement to maintain ‘transatlantic data flows’. Known as the EU-US Privacy Shield, the framework aspires to safeguard the ‘fundamental rights of Europeans’ with regard to data being transferred to the US.

However, as ESET security researcher Stephen Cobb points out, the new agreement already faces strong criticism, and potential legal challenges, from European privacy advocates.

The original safe harbor agreement was declared ‘invalid’ in October of last year following a legal challenge arising from the secret US National Security Agency (NSA) surveillance that was revealed by Edward Snowden. The European Court of Justice (CJEU) ruled that “the NSA’s indiscriminate overseas surveillance interfered with the ‘fundamental rights’ of its citizens” (The Intercept).

Some EU officials were positive about the new agreement. “Our people can be sure that their data is fully protected,” said Andrus Ansup, vice president of the College of Commissioners. “Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic.

“Today’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment.”

“We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment.”

As part of the agreement, US companies will be required to better secure the personal data of Europeans. Indeed, one of the elements of the new deal instructs US firms to commit to ‘robust obligations on how personal data is processed and individual rights are guaranteed’.

Further, in instances where citizens of the European Union feel as though their data has been exploited, in direct contravention of this agreement, they will be able to pursue numerous means of redress.

“For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms,” added Vera Jourava, the EU’s commissioner for justice.

“Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans.”

Unfortunately, says Cobb, some of these assurances are bound to sound hollow to US privacy advocates such as the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU). Both of these organizations have tried to sue the NSA over unwarranted mass surveillance, only to have cases dismissed in the courts because plaintiffs could not prove they had been the target of surveillance because the surveillance was secret.

Cobb points out that such rulings contrast sharply with well-established European law, for example, the 2006 finding that “the mere existence of legislation which allows a system for the secret monitoring of communications entails a threat of surveillance for all those to whom the legislation may be applied. This threat necessarily strikes at freedom of communication between users of the telecommunications services and thereby amounts in itself to an interference with the exercise of the applicants’ rights under Article 8 [of the European Convention on Human Rights], irrespective of any measures actually taken against them” (Weber and Saravia v. Germany).

That finding was reaffirmed last month says Mr. Cobb, in the case of Szabo and Vissy v. Hungary. The European Court of Human Rights found that Hungary’s surveillance of its citizens under the country’s National Security Act violated the plaintiffs’ right to respect for private and family life, in part because it included “disproportionately intrusive measures under a legal regime that was prone to abuse for want of judicial oversight” (Clayton Rice).

Mr. Cobb notes that those words describe an opinion of US government surveillance shared by more than a few Americans: “Absent further surveillance reforms in the US, it seems unlikely that the new transatlantic agreement will withstand legal challenges from EU citizens, however, many US citizens still hope that such reforms will come to pass. Only if this new deal moves reform forward, and leads to greater data security, will it be worth celebrating.”

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.