The new transatlantic data “Privacy Shield”

THE EUROPEAN Union and America have reached a deal on data protection. The “EU-US Privacy Shield” allows companies to store Europeans’ personal data on American computers. This ends a three-month hiatus since the European Court of Justice struck down the previous agreement, “Safe Harbour”, on the grounds that it gave insufficient protection against snooping by American spy agencies. Failure to reach a deal could have sparked a damaging legal spat, in which some European national data protection agencies could have ruled illegal all transfers of data across the Atlantic.

A transatlantic gulf separates ideas about data privacy: EU law sees it as a cherished human right; in America, it is more about consumer protection. Moreover, America’s National Security Agency (NSA)—the biggest and most powerful electronic-intelligence agency in the world—sparks fears in Europe of untrammelled snooping. The EU has no intelligence agencies of its own—so the tradeoffs between security and privacy which exist at national levels (where spymasters cooperate gladly and gratefully with the NSA) are invisible. Caught in the middle are the internet and technology companies: big ones could set up Europe-only data centres; small ones might find that doing business across the Atlantic was just too much trouble. 

read full article at The Economist

New privacy notices code 'developed with compliance with the General Data Protection Regulation in mind', says ICO

The UK's data protection watchdog has proposed updates to its privacy notices code of practice which it said accounts for near-finalised new EU General Data Protection Regulation (GDPR).03 Feb 2016

In its draft new privacy notices code of practice, the Information Commissioner's Office (ICO) advocates that companies use a "blended approach" to informing consumers about how they intend to use their personal data.

The ICO said that to meet obligations set out under data protection laws on the fair processing of personal data businesses should only use data "in a way that people would reasonably expect" and after thinking about the impact such data use would have on those individuals. In addition, businesses must ensure "people know how their information will be used". 

read full article at Out Law

Goodbye Safe Harbour, hello Privacy Shield – but what does that really mean for your data?

Privacy Shield, rebranded to prevent any association with its predecessor, is designed to offer new safeguards around access to data by public authorities and give citizens the right to take legal action against companies using their data. It will also create an independent ombudsperson role and have an annual review procedure.

The commissioner said in a press conference today that this will take just three months to implement. She also made assurances that the rules would still be suitable when new data protection regulations come into force in 2018.

Although this appears to offer some guarantee for big tech companies like Facebook, Amazon and Google that they will still be able to move data freely and therefore not have to increase costs to the public, it still has political hurdles to clear first. 

by Kirtsy Styles
read full article at The Next Web

Looks Like Data Will Keep Flowing From the EU to the U.S. After All

The European Union and United States have struck a last-minute deal on keeping transatlantic data flowing — and it should mean tough new obligations for both American companies and intelligence services.

This really went down to the wire: An end-of-January deadline for agreeing on the successor to the struck-down Safe Harbor agreement passed with no deal, and EU privacy regulators are meeting today and tomorrow to discuss their crackdown on companies that are sending EU citizens’ data to the U.S. without legal backup. 

by  David Meyer
read full article at Fortune

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield Strasbourg, 2 February 2016

The College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses. 

The new arrangement will include the following elements: 

Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs. 

Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it. 

Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created. 

read full article at European Commission

Uber agrees to enhance user privacy in settlement

New York's attorney general has announced a settlement with Uber requiring the car service app to protect riders' personal information.

The agreement follows an investigation by the AG's office amid reports that Uber executives had access to riders' locations and displayed it in an aerial view, known internally as "God View." 

read full article at CrainsNewYork

FTC’s credibility tarnishes as its privacy offensives grow

Having worked for an FTC commissioner, I've seen first hand the commission's regulatory successes. Imbued with the powers of competitive oversight and consumer protection, the Federal Trade Commission (FTC) was a beacon for other governmental agencies.

Unfortunately, times have changed. The commission's recent obsession with media exposure has darkened the FTC's luminescence.  The FTC has forgotten its core foundational tenet: identify practices that actually harm consumers. 

By Carl Szabo
read full article at TheHill

Snooper's charter would be out of date in five years, says defence industry

The accelerating pace of technology means the government’s landmark snooper’s charter bill will only have a limited shelf life and will need to be revisited within five years, Britain’s defence and security industry has told MPs and peers.

They have warned that there are serious questions over whether fundamental parts of the new law that will overhaul of surveillance powers will be relevant in the near future as the technological landscape changes. 

by Alan Travis
read full article at TheGuardian

U.S. Department of Homeland Security Best Practices for Protecting Privacy, Civil Rights & Civil Liberties In Unmanned Aircraft Systems Programs

As co-chairs of the Department of Homeland Security’s (DHS) Privacy, Civil Rights & Civil Liberties Unmanned Aircraft Systems Working Group (DHS Working Group), we are pleased to present these best practices, which reflect DHS’ experiences in building unmanned aircraft system programs founded on strong privacy, civil rights, and civil liberties protections. Unmanned aircraft systems are an essential tool in DHS’s border security mission and present a great deal of promise for assisting first responders and improving situational awareness. These best practices represent an optimal approach to protecting individual rights that is influenced by U.S. Customs and Border Protection’s (CBP) ten years of experience using unmanned aircraft systems as a tool in protecting and securing the Nation’s borders. 

We are sharing these reflections broadly, recognizing that government entities (including CBP) have various limitations based upon their respective missions, operating characteristics, and legal authorities, and that many of the considerations that apply to our agency may not be applicable or appropriate for other entities. The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program. 

read full article at DHS

Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. CISA sponsors and supporters hope that such information exchange will help organizations prepare for and respond more effectively to cyber threats.

In addition to CISA, the spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services (HHS) to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce. 

by Hogan Lovells
read full article at IAPP

NIS + GDPR = A New Breach Regime in the EU

European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18.

The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive.

by Gabriel Maldoff
read full article at IAPP

Researchers investigate the ethics of the Internet of Things

Researchers at nine UK universities will work together over the next three years on a £23m ($33.5m) project to explore the privacy, ethics, and security of the Internet of Things.


The project is part of 'IoTUK', a three-year, £40m government programme to boost the adoption of IoT technologies and services by business and the public sector. 

By Steve Ranger 
read full article at ZDNet