The debate on data flows between the US and EU is heating up again. In mid-October, the US House of Representatives approved the Judicial Redress Act, a bill that will give foreigners the same rights to judicial redress as US citizens if law enforcers violate their data privacy. This was necessary for the implementation of the so-called “Umbrella Agreement” (signed in September 2015 between the EU and US) that aims to ensure the same standard of protection when it comes to transfer of criminal data.
Last week the US Senate passed the Cybersecurity Information Sharing Act (CISA), aiming to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes”. In principle, CISA will formalize the sharing of Internet traffic information between the US government and technology and manufacturing companies in cases of cyber security threats and once specific “cyber threat indicators” are met. The bill must be conferenced together with other related bills already passed by the House of Representatives and then voted on again in the House.
While the Judicial Redress Act will undoubtedly help restore public confidence in transatlantic data flows – vital for the continued economic cooperation and particularly trade – opponents question CISA’s value, believing that it could move responsibility from private business to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across government agencies in the US. Right after the bill was introduced in the US Senate in July 2014, it has become a subject of hot debates between digital rights advocates and privacy activists in light of the “Snowden revelations”.
Interestingly enough, mainstream media in the European Union have not paid much attention to the latest developments around CISA. However, CISA could considerably affect the ongoing debates on the replacement of the Safe Harbour agreement on transatlantic data flows, which was invalidated by the European Court of Justice at the beginning of October 2015. Since EU privacy laws require that – when personal information of EU citizens is processed outside the EU – it should benefit from the same level of legal protection as in the EU, thorough analysis of all CISA provisions and their compliance with EU privacy laws will be needed.
The question however remains whether the new US legislation may lead to new EU legislation and to what extent it will be an opportunity or threat in the process of anchoring EU-US data flows affecting more than 4,400 companies across sectors. One thing is clear: recent TalkTalk cyber-attack sparks calls for new regulatory powers. With the multitude of upcoming developments, including:
- conclusion of the EU General Data Protection Regulation (GDPR);
- conclusion of the EU Network and Information Security Directive (NIS);
- implementation of the “Umbrella Agreement”;
- agreement on the prospective “Safe Harbour 2.0”;
- launch of negotiations on digital trade in the Transatlantic Trade and Investment Partnership (TTIP); and
- conclusion of the negotiations for the Trade in Services Agreement (TiSA) and its provisions on data flows,
we proudly declare 2016 as the year of data flows and protection. We are closely watching the space, so stay tuned for our next snapshots on digital trade and free flow of data!
Vladimir Beroun, Senior Consultant and technology wonk at FTI Consulting in Brussels