Time is running out on Safe Harbor 2.0
Antti Laatikainen
Principal Consultant, PCI Service Lead at WithSecure Consulting (he/him)
With end of January closing in and nothing concrete coming out from EU’s Article 29 Working Party, it seems more and more evident that the trench created by EU’s “Schrems-ruling” is not being bridged, but instead dug deeper and deeper.
In the time where US and EU should be closing in to reach a common understanding on how privacy should be seen in context of national security, views are just getting more and more mixed up. EU is putting General Data Protection Regulation (GDPR) into action and agreeing on Data Protection Directive for the police and criminal justice sector to create a controlled and well balanced set of rules allowing intelligence agencies to share information for better anti-terrorist- and anti-criminal protection, while still promoting high standards on individual rights on privacy, and to the visibility - and control over ones own data.
During this time, in the US, Senate passed the CISA (Cybersecurity Information Sharing Act) that gives intelligence authorities an unchallenged, and practically uncontrolled access to all data collected by US companies. This state-backed intelligence practice was the one and only point in EU’s “13 part improvement” list on original Safe Harbor that US did not agree on, and it seems that they are strictly keeping their head.
If common “Safe Harbor v2.0” is not agreed, companies that exchange information between EU and US have to turn to alternative legal structures like Binding Company Rules or collecting individual consents from all the users of their services.
As my personal opinion, with practices like CISA and Patriot Act in place, I think it’s just a matter of time when these working methods are also questioned by EU.
Interesting to see how what kind of consensus EU and US will eventually reach on this.
Article 29 Working Party
https://ec.europa.eu/justice/data-protection/article-29/index_en.htm
EU “Police” Regulation
https://europa.eu/rapid/press-release_IP-15-5812_en.htm
Good article about CISA
https://www.wired.com/2015/12/congress-slips-cisa-into-omnibus-bill-thats-sure-to-pass/