Lance Bellers - Fotolia
Just days before a deadline to replace the Safe Harbor framework, which was ruled invalid last year by the European Court of Justice, a key bill has advanced in the U.S. Senate that could impact data privacy for foreign citizens.
The Senate Judiciary Committee advanced the Judicial Redress Act on Thursday, which, if passed, will give foreign citizens or organizations the right to recover damages if their data is misused or mishandled. However, an amendment added on Wednesday by Sen. John Cornyn (R-Texas) placed limits on the rights granted.
Privacy regulators in the European Union had supported the passage of the bill as a sign of good faith by the U.S. for data privacy. The act is "a very, very important signal of trust and reliability," European Commission Director for Fundamental Rights Paul Nemitz told Reuters, which reported that the last-minute amendments were causing some concern among those involved in the negotiations.
Cornyn's amendment stated that "in order to qualify as a covered country, a foreign country must permit commercial data transfers with the United States and may not impede the national security interests of the United States." The amendment requires that a successor to the Safe Harbor framework be in place with the EU before its citizens are granted rights under the bill.
"The progress of the Judicial Redress Act is a welcome development. However, it is unlikely to have a huge impact on Safe Harbor negotiations," said Mike Weston, CEO of Profusion, a data science consultancy in London. "If the bill becomes law and the U.S. confers the same data protection to European citizens, it will do little to appease the EU, simply because the U.S. currently puts little emphasis on data privacy -- especially for non-U.S. citizens."
"It will take a monumental shift in how the U.S. government balances the rights of users online with national security to make a complete replica of the original Safe Harbor deal possible," Weston said.
Government officials on both sides of the Atlantic are still scrambling to reach an agreement before the next meeting of the EU government body concerned with data privacy, which is scheduled for Feb. 2.
Importance of the pact
Speaking at the World Economic Forum in Davos, Switzerland last weekend, U.S. Secretary of Commerce Penny Pritzker said that there is a national security component to the framework -- in particular, "what kind of information is available about activities done for national security and how do those affect privacy." She added that "our intelligence community and law enforcement have detailed for the [European Commission] the legal authorities and oversight that has been put in place, particularly post-Snowden."
"The other big issue is the issue of how to address if a European citizen has a complaint about privacy, and we've taken that issue very seriously," Pritzker said. "We take privacy very seriously in the United States, and we take the issue of addressing this very seriously."
The Safe Harbor agreement, set in place in 2000, allowed companies to transfer and store personal and private information of EU citizens in the U.S., under the condition that the data remained private. Max Schrems brought his suit challenging the Safe Harbor framework on privacy grounds before Edward Snowden's revelations of mass surveillance by the National Security Agency in 2013. However, those revelations helped decide the issue.
A process, not a complete solution
Pritzker said at Davos that the new framework will "set up mechanisms to recognize that the landscape will change and that the solutions today will have to evolve."
Speaking on the same Davos panel as Pritzker, European Commission Vice President Andrus Ansip, who is involved with the Safe Harbor framework replacement negotiations, said that he was confident a consensus would be reached and that "it will be a process to make Safe Harbor even more safe."
The negotiations are "both fraught with peril, but also ripe with opportunity," said Brad Smith, president and chief legal officer at Microsoft, also speaking at Davos. "If people in Europe are going to trust American companies, we need to be accountable. People will not trust institutions that are not accountable."
In other news
- Basic security lapses in Ukraine's power grid were to blame for the BlackEnergy malware attack that caused power cuts in December, security consultant Oleh Sych told Reuters this week. The attack was apparently carried out via targeted phishing emails with infected data files, according to Sych. And he claimed that other industrial facilities in Ukraine could also be at risk for similar attacks. Meanwhile, what some news outlets were calling a "massive cyberattack" on Israel's power grid turned out to be merely a ransomware phishing attack against their Electricity Authority, a department of the government tasked with setting electricity rates and payments.
- Impressive new records were reported this week for various types of cyberattacks in 2015. Concerns about healthcare data security are well-founded, as healthcare breaches were up tenfold in 2015 over the previous year, with over 113 million Americans -- one in three -- affected, according to cloud and mobile security firm Bitglass. Meanwhile, it was a record year for distributed denial-of-service attacks, with the largest DDoS attack reported at 500 Gbps, and another eight attack events rated at over 200 Gbps, as well as a "record number of 100 Gbps+ attacks," according to a report from DDoS and advanced threat protection firm Arbor Networks. "This year's survey results indicate a sharp uptick, with nearly 25% of respondents seeing peak attack sizes over 100 Gbps." And if that's not enough, Google blocked a record 780 million "bad ads" in 2015, according to Sridhar Ramaswamy, senior vice president of ads and commerce at Google. The advertising giant blocks "ads that carry malware, cover up content you're trying to see or promote fake goods."
- This week, Synology became the first hardware manufacturer to deploy Let's Encrypt free certificates, as the network-attached storage manufacturer announced: "As part of the company's DSM 6.0 beta, it's added the ability to secure your NAS device with a Let's Encrypt free security certificate, rather than Synology's own self-signed one."
- Several vulnerabilities, including some critical ones, were found and patched in almost all versions of the e-commerce platform Magento. Web security firm Sucuri discovered a stored cross-site scripting vulnerability in November and worked with Magento to fix it. Security updates with extensive patches were released late last week for both Magento 1.x and Magento 2.x. Although no exploits have been detected in the wild, users are urged to apply the patches as soon as possible.
Learn about how to comply with international data privacy laws.