Privacy Shield – Kicking the can down the road

The European Commission (EC) published its’ report on the second annual review of the US-EU Privacy Shield agreement and succeeded in “kicking the can down the road”.

The EC Vice-President (Andrus Ansip) has summarised the review, stating “Today’s review shows that the Privacy Shield is generally a success. More than 3,850 companies have been certified, including companies like Google, Microsoft and IBM – along with many SMEs. This provides an operational ground to continuously improve and strengthen the way the Privacy Shield works. We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy.”

In plain language, the U.S. needs to have someone in charge of ensuring Privacy Shield works and is monitored by 28th February 2019.

In contrast the EU Commissioner for Justice (VěraJourová) added “The EU and the U.S. are facing growing common challenges, when it comes to the protection of personal data, as shown by the Facebook / Cambridge Analytica scandal.” and has also called for greater co-operation and stronger parity of privacy between the US and EU.

Granted, improvements have been made to the way Privacy Shield is policed, with random spot-checks made by the U.S. Department of Commerce, privacy policies checked and monitoring performed by the Federal Trade Commission but does this even address the issues raised in the first annual review of the Privacy Shield?

There is still a vast disparity in privacy practices of U.S. companies on non-U.S. citizens data. The EC press statement¹ does mention the Presidential Policy Directive No.28, which alludes to privacy protection for non-Americans being implemented across the U.S. intelligence community. But this neither puts a timeframe to its’ implementation nor addresses the problems with the C.L.O.U.D. Act².

What does this mean for your information and its’ privacy?

Well, it would seem that your information certainly remains accessible to the U.S. government, no matter where it resides in the world.³

Our concern and a core reason why we educate and inform around data protection is to ensure you know how businesses use and ultimately monetise your information.

Cloud services are still a grey and murky area for information privacy.

Cloud Service Providers also see privacy legislation as an impediment that their terms and conditions try to circumvent, rather than use them to provide good service to you, their customers.

The EU GDPR and UK Data Protection Act 2018 should help in protecting your information held in these cloud services. But knowing your rights and knowing when to use them is exactly what our be.infoready aim is!

Let’s see what’s inside “the can”, when the EU reaches 28th February 2019? We’ll be sure to keep you informed.

Adrian McGarry

"man kicking can down the road metaphor" by John Takai
kicking can down the road

 

¹ http://europa.eu/rapid/press-release_IP-18-6818_en.htm

² Read more about what the Clarifying Lawful Overseas Use of Data Act is https://www.orrick.com/Insights/2018/04/The-CLOUD-Act-Explained

³ It could be legally challenged, but who will know it has been accessed, as the Cloud Service Provider (yes, this does include your information stored on Microsoft Azure or Office 365, Google G-Suite, Amazon Web Services, Facebook), has no legal means to inform you that your information has been accessed. Even if you were to find out, there is no recourse for judicial review.

Also recently published