Transatlantic Transfer of Personal Data: Rebuilding Trust in EU-US Data Relations?

Introduction: This paper aims to analyse firstly, the extent to which the NSA scandal has damaged trust in EU-US transfer of data. PNR and SWIFT already raised serious concerns regarding breaches of data protection rights of EU citizens but the NSA scandal constituted the last straw in the already troubled waters of transatlantic data exchanges. While PNR and SWIFT are not the only existing data transfer agreements between the EU and the US, they are the most contentious. Secondly, this paper will try to examine whether the Umbrella Agreement can contribute to rebuilding trust in EUUS relations by laying down a sufficient and effective framework for data protection in the context of transatlantic cooperation. For that purpose, this paper will first look at the implications of the NSA scandal for trust in transatlantic data relations. Secondly, the challenges to transfers of data in EU-US relations will be examined, paying particular attention to weak level of protection in SWIFT and PNR as well as to their review process and issues of accountability. Thirdly, an analysis of the Commission’s Non- Paper on the state of play of negotiations on the Umbrella Agreement will serve as a ground to assess whether the agreed proposals will provide sufficient safeguards against the identified concerns. Finally, provisional conclusions will be drawn on the basis of the current state of negotiations

Using State-Based Adequacy Now, National Adequacy Over Time to Anticipate and Defeat \u3cem\u3eSchrems III\u3c/em\u3e

Consequent to their incongruous developments of data privacy law, the European Union and United States have struggled to lawfully trade data with one another. Both nevertheless aspire to make the transfers occur. Therefore, they have negotiated two agreements for lawful data trade: (1) Safe Harbor and (2) Privacy Shield. But the European Union has also required the United States to guarantee nearly “equivalent” protections to its own. Given the Court of Justice of the European Union’s decisions in Schrems v. Data Protection Commissioner (Schrems I) and Data Protection Commissioner v. Facebook Ireland Ltd. (Schrems II) to invalidate the agreements, achieving the equivalency requirement will be demanding. This Note contends that the upcoming successor agreement should allow well-suited states in the United States to obtain “adequacy” determinations for themselves, rather than trying to adapt the structurally dissimilar federal legislation to meet European Union standards. This approach is the only realistic way to anticipate and defeat an inevitable “Schrems III” court challenge

Risk and Rights in Transatlantic Data Transfers: EU Privacy Law, U.S. Surveillance, and the Search for Common Ground

Privacy advocates rightly view the Court of Justice of the European Union (CJEU) decision in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems (Schrems II) as a landmark. But, one stakeholder’s landmark is another’s headache. The CJEU’s decision invalidated the EU-U.S. Privacy Shield agreement governing transatlantic transfers of personal data. Citing U.S. surveillance, the CJEU found that data transfers lacked adequate privacy protections under the EU’s General Data Protection Regulation (GDPR). The Schrems II decision thus clouded the future of data transfers that help drive the global economy. This Article offers a hybrid approach to safeguard privacy rights and ensure the viability of transatlantic data flows. The Article’s hybrid approach is an alternative to two less promising ways of reading the CJEU’s groundbreaking decision. The European Data Protection Board (EDPB) issued recommendations adopting a de facto absolutist view of the duties imposed by Schrems II. The EDPB guidance narrows the role of risk assessments that gauge the probability of U.S. surveillance of particular data. The EDPB places greater stock in technical measures, such as steep EU-centered encryption that thwart U.S. surveillance and impede access for U.S. firms. This unduly strict approach undermines the whole point of transatlantic data transfers. Another response to Schrems II takes a “don’t worry, be happy” tack. Heralds of optimism assure audiences on both sides of the Atlantic that most transatlantic data transfers are immune as a matter of law from U.S. surveillance, including collection under section 702 of the Foreign Intelligence Surveillance Act (FISA) or Executive Order 1233 (EO 12333). Unfortunately for this optimistic turn, U.S. surveillance authorities are sufficiently broad to reach many communications by EU individuals. In particular, section 702’s provision for collecting communications related to U.S. “foreign affairs” lacks any intelligible limiting principle or specific review of targeting decisions. The U.S. Foreign Intelligence Surveillance Court (FISC) does not approve every target under section 702, although it has the power to scrutinize targeting procedures. Collection under EO 12333 is even broader and not subject to FISC review. In sum, surveillance optimism is a rhetorical trope, not a legal strategy. Navigating between the EDPB’s strict approach and the heralds’ unfounded optimism, this Article proposes a hybrid model. The hybrid outlines a risk-assessment method based on U.S. export controls, which have successfully managed exports of sensitive technology for decades. This model can also be a template for managing transfers of sensitive personal data. In addition, the hybrid model proposes bolstering substantive and institutional safeguards in U.S. law. For example, the Article proposes an Algorithmic Rights Court (ARC) that would probe targeting decisions under both section 702 and EO 12333. Through more precise risk assessment and reinforced institutional and substantive protections, the hybrid model preserves privacy and supports a sustainable transatlantic data transfer regime

European Reference Network for Critical Infrastructure Protection: ERNCIP Handbook 2018 edition

The ERNCIP network has been established to improve the protection of critical infrastructures in the EU. The European Reference Network for Critical Infrastructure Protection (ERNCIP) therefore works in close cooperation with all types of CIP stakeholders, focusing particularly on the technical protective security solutions. This handbook aims to assist the dissemination of the activities and results of ERNCIP. It is intended that the document will be updated and issued by the ERNCIP Office in spring each year. The information provided will be up to date as of the end of the previous calendar year, i.e. in this case as at 31 December 2017. The report summarises the achievements of all the ERNCIP Thematic Groups, providing a convenient way to access information on any specific theme of interest covered by ERNCIP. The report also describes current thematic group activities, to allow subject-matter experts and critical infrastructure operators to identify ongoing areas of research they might be interested in assisting. This report is publicly available via the ERNCIP web site, and is distributed to all ERNCIP Group of EU CIP Experts for onward dissemination within their Member States.JRC.E.2-Technology Innovation in Securit

European Reference Network for Critical Infrastructure Protection: ERNCIP Handbook 2017 edition Version 1.0

The ERNCIP network has been established to improve the protection of critical infrastructures in the EU. The European Reference Network for Critical Infrastructure Protection (ERNCIP) therefore works in close cooperation with all types of CIP stakeholders, focusing particularly on the technical protective security solutions. This handbook aims to assist the dissemination of the activities and results of ERNCIP. It is intended that the document will be updated and issued by the ERNCIP Office in spring each year. The information provided will be up to date as of the end of the previous calendar year, i.e. in this case as at 31 December 2016. The report summarises the achievements of all the ERNCIP Thematic Groups, providing a convenient way to access information on any specific theme of interest covered by ERNCIP. The report also describes current thematic group activities, to allow subject-matter experts and critical infrastructure operators to identify ongoing areas of research they might be interested in assisting. This report is publicly available via the ERNCIP web site, and is distributed to all ERNCIP Group of EU CIP Experts for onward dissemination within their Member State.JRC.E.2-Technology Innovation in Securit