A too fragile shield for privacy

We’re at a critical fork in the road in terms of data protection for EU businesses and citizens. Yesterday, the European Parliament debated, and today will vote on, the proposed Privacy Shield agreement between the EU and US. Privacy Shield is heavily contested and by many experts regarded as more a fig leaf than a steel piece of armor. In her article in today’s Irish Times, Karlin Lillington calls Privacy Shield a clumsy replacement for the Safe Harbour agreement.

One of the most criticised aspects of Privacy Shield is how it addresses the protection of data from secret law enforcement scrutiny in the US, a key issue highlighted in the Schrems case before the European Court of Justice. In this matter, Privacy Shield relies only on US government letters of assurance, which are far distinct from actual changes to law.

Equally weak are the foundations provided for the independence of the proposed US-based ombudsman, who would report to the same US State Department that oversees the US surveillance agencies. Lillington cites European ombudsman Emily O'Reilly expressing her concern in a letter to the EU commissioner responsible for Privacy Shield:

It would be useful at this stage if you might outline, or reflect on, how these criteria might be reconciled with the fact that the office foreseen in the ‘EU-US Privacy Shield’ would be part of a government department that supervises government agencies… European citizens… have legitimate expectations of the credentials as to the impartiality and independence of such an office.

A similar concern was raised by the Working Party of EU data protection authorities, which said in April that Privacy Shield still needed considerable work. In Opinion 01/2016 on the EU–U.S. Privacy Shield draft adequacy decision, the Working Party (WP29) welcomes the establishment of an Ombudsperson as a new redress mechanism but then adds:

The WP29 is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.

This has significant consequences on the fundamental rights of EU citizens with regard to data protection:

Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals and therefore ineffective.

The Working Party also finds that key data protection principles as outlined in European law are not adequately addressed in Privacy Shield. This especially applies to the collection of personal data:

The WP29 however notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 recalls its long-standing position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights.

Businesses who process protected customer data, for example in their web applications, require a solid legal foundation on which they can operate securely. In its current state, Privacy Shield does not seem to provide an adequate implementation.

As a company with the internet at the core of our business model, we at freistil IT believe that raising the bar for data protection will benefit both businesses and individual citizens in the long run. With adequate data protection measures in place, they will be able to navigate, use and expand the digital space with peace of mind. As Lillinton concludes:

In an age replete with evidence of easy digital surveillance, poor digital security protections for citizen data and enthusiastic bulk data gathering by both businesses and governments, [regulatory barriers] are also essential protections to a vulnerable citizenry.

Nothing comes for free, though. Putting these protections in place requires a significant effort on both the organisational and the technology level.

In this regard, running your websites on our managed hosting platform freistilbox can become the cornerstone of your data protection strategy. As a PaaS company, we can leverage economies of scale to minimise the cost of these efforts for our customers. That’s why we can offer you world-class hosting for Drupal and WordPress at affordable rates. And this includes full data sovereignty: Our business, our staff and our IT infrastructure are based 100% in the EU, with no ties to US-based entities.

So if you, as a web agency or a website owner, have concerns about providing proper data protection at economically viable cost, you should talk to us.