EU-US Privacy Shield Agreement – What you need to know
On August 1, 2016 the United States – European Union data agreement known as Privacy Shield became operational.
From that date, companies have been able to sign up to the Privacy Shield with the United States Department of Commerce. The department will then analyze and verify that the applicant company is in line with the high data transfer standards set by the new agreement.
By August 15, however, only 40 companies had been certified as compliant by the US Department of Commerce for Privacy Shield, with 200 additional companies in process. On September 26, the search giant Google was officially certified as compliant, and users may have noticed a notification of it since then.
But many people may have a few questions about Privacy Shield:
- What is it exactly?
- Where did it come from?
- How will it affect me?
- Can I trust it?
We’ll go through each question carefully to fill you in on the new data law.
What exactly is Privacy Shield?
In February 2016, the US and EU signed a new agreement to make it easier for companies to transfer data across the Atlantic. On the 12th of July, the European Commission officially adopted the new measure.
Privacy Shield is set to be a framework for protecting the fundamental rights of European online users whose personal data will be handled by US companies and organizations. It also creates a legal clarification for other businesses that rely on these transatlantic data transfers.
For example, if you are located in the EU and you sign up for a service from the US—it could be Facebook, Google, or Christian Mingle—you are giving up your personal data to that company. However, what are the laws regarding your data for those companies? Are these laws the same as what you have in the EU?
The chances were that there was no alignment between the US and EU protections of data, and so Privacy Shield came into effect to align the two regions.
According to the agreement:
- The US creates an Ombudsperson in order to handle EU citizen complaints about American organizations spying on their data
- The US Office of the Director of National Intelligence provides commitments in writing that there will be no mass surveillance of EU citizens’ personal data
- The US and EU will have an annual review to make sure Privacy Shield is working correctly
The features also include:
- Any breaches in personal data records have to be reported within 72 hours of discovery.
- Companies that violate the agreement will be fined up to €20 million or 4% of the company’s total annual worldwide gross revenue, whichever is higher.
- Participating organizations will have to undergo additional obligations for compliance and reporting, some of which may even continue after the organization leaves Privacy Shield.
These things make up the major features of Privacy Shield, which many US businesses are welcoming for its promise to make transatlantic data transfers easier, more secure, and hopefully more transparent.
Where did it come from?
If Privacy Shield only came into effect in August, what was in place before it? Let’s look at a little story:
In 2012, an Austrian citizen named Maximillian Schrems, who was at the time a law student, had some problems with Facebook’s data policies. He claimed that they violated EU law and eventually took his complaints to the European Court of Justice. In October, 2015, the court found that the transatlantic data transfer mechanism was inadequate in providing protections to EU citizens’ data, thus sticking it down.
That mechanism was called Safe Harbor Agreement.
Safe Harbor had been operating as a transatlantic data transfer agreement from July 2000 until it was overturned in October 2015.
In light of Snowden leaks, suspicion and the loss of confidence in America handling their citizen and international personal data also affected how the Safe Harbor Agreement was viewed. Mainly, these suspicions concerned the fact that companies only had to self-certify that they were complying with the expected transparency and processes of the agreement. In addition to that, those companies were not able to prevent the NSA from snooping on that personal data.
Another concern was the reach of the Patriot Act, which could impact cloud data anywhere in the world, as raised by Microsoft. The remaining big concern was Facebook’s data handling policies, which loosely applied Safe Harbor principles as it didn’t require all organizations that handled EU privacy-related data to comply.
How will the EU-US Privacy Shield affect me?
This is perhaps the most important question about Privacy Shield: how will it affect my life. And, more specifically: can I trust it?
For thoughts on that, we can turn to what Edward Snowden had to say in early September at a Brussels event (via the European Observer):
“It is categorically untrue [that mass surveillance is being narrowed under Privacy Shield]….”
Snowden is not alone in his worries about Privacy Shield. The EU’s main privacy regulating body, the Article 29 Data Protection Working Party, have said that commitments by the US to not partake in mass surveillance of EU citizen data were lacking in three areas:
- the process of data deletion
- the continuing massive amounts of data collected
- clarifications on the role of the new Ombudsperson
Because of that, the European Data Protection Supervisor stated that Privacy Shield is likely“not robust enough to withstand future legal scrutiny before the [European] Court.”
What this may mean to the average person is that, although there are better protections for European’s data processed by US companies, mass surveillance is still a big issue.
What can I do to protect myself?
This means that, for all intents and purposes, your data may still be snooped on. While there are indications that the EU-US Privacy Shield will be contested in court, that may not happen for another year. Others believe it might be tested even sooner, as recent Yahoo scandal has some observers questioning the effectiveness of the Privacy Shield.
In the meantime, the agreement is in full swing. How can you secure your private data?
The best way, still, is security your own personal data whenever possible, for instance by using a VPN (Virtual Private Network), such as NordVPN. Remember, VPNs work by establishing a secure connection between a user’s computer and a server of their choosing. That means that all communications will (1) be encrypted and (2) appear to be coming from that server.
With NordVPN, that encryption is even better: offering AES-256-CBC with a 2048bit DH key (OpenVPN Security Protocol) and AES-256-GCM with 3072-bit DH key (IKEv2/IPsec Security Protocol). Also, NordVPN has 685 worldwide servers in 52 countries, so you’ll have a wide choice of server locations. Even better, you can combine the power of Tor (The Onion Router) and VPN or use DoubleVPN servers and be secure that none of your communications will be recorded.
However you choose to protect yourself, it’s probably best while the world waits and watches Privacy Shield to take it upon yourself to keep your own data private and secure.