PrivacyShield

Considerations on the EU – U.S. Privacy Shield

Personal data privacy management across the Atlantic is among the core topics tackled by Think NEXUS project. As such, latest European decision on the EU-US privacy shield constitute an important development within its ecosystem. Following article details the context, consequences and reactions associated to this decision (extracted from Think NEXUS deliverable D1.4).

Court of Justice of the European Union’s repeal of the ‘EU-US privacy shield’

Personal data privacy management across the Atlantic is among the core topics tackled by Think NEXUS project. As such, latest European decision on the EU-US privacy shield constitute an important development within its ecosystem. Following article details the context, consequences and reactions associated to this decision (extracted from Think NEXUS deliverable D1.4).

The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 (Decision 2016/1250) and the Privacy
Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield.

The Framework includes:

  • Strong data protection obligations on companies receiving personal data from the EU
  • Safeguards on US government access to data
  • Effective protection and redress for individuals
  • An annual joint review by the EU and the US to monitor the correct application of the arrangement.

In the EU, the Privacy Shield is enforced by the European Commission (EC) DG JUST.

On the U.S. side, the EU-US Privacy Shield Framework, monitored by the U.S. Department of Commerce, provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organisations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations.

 
To join Privacy Shield Framework, a U.S.-based organisation [is] required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.

Court of Justice of the European Union’s repeal of the ‘EU-US privacy shield’

Latest Court of Justice of the European Union (CJEU) judgement in the NGI-related field induced a ‘considerable impact’ on EU-US internet related collaborations. Namely, judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems[1] issued on 16/07/20, basically repeal the ‘EU-US privacy shield’ as such, providing a new entry in the long history of data protection between both areas.

Background to the CJEU’s decision, M. Schems’ case

“Maximillian Schrems, an Austrian national residing in Austria, has been a Facebook user since 2008. As in the case of other users residing in the European Union, some or all of Mr Schrems’s personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing. Mr Schrems lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to that country. That complaint was rejected on the ground, inter alia, that, in Decision 2000/520 (‘the Safe Harbour Decision’), the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on 6 October 2015, the Court of Justice, before which the High Court (Ireland) had referred questions for a preliminary ruling, declared that decision invalid (‘the Schrems I judgment’).
 

Following the Schrems I judgment and the subsequent annulment by the referring court of the decision rejecting Mr Schrems’s complaint, the Irish supervisory authority asked Mr Schrems to reformulate his complaint in the light of the declaration by the Court that Decision 2000/520 was invalid. In his reformulated complaint, Mr Schrems claims that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension or prohibition of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the standard data protection clauses set out in the Annex to Decision 2010/87.

Taking the view that the outcome of Mr Schrems’s complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory authority brought proceedings before the High Court in order for it to refer questions to the Court of Justice for a preliminary ruling. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield (‘the Privacy Shield Decision’).”

Namely, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield, while leaving the principles of data protection for non-U.S. third countries (namely, CJEU decision states the Court “considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid”).

Official reactions to the CJEU’s decision

On its Privacy Shield website, the U.S. Department of commerce states : “The [CJEU] issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel [2].”

Following the decision, EC Vice-President Jourová indicated that the Commission would abide and continue working with U.S. counterparts, stating that “[this] ruling provides further valuable guidance for us and we will make sure that the updated tool will be fully in line with it.” Didier Reynders, Commissioner for Justice, reinforced the idea that “[the EC] will work with the European Data Protection Board, as well as the 27 EU Member States. It will be very important to start the process to have a formal approval to modernise the Standard Contractual Clauses as soon as possible. We have been in an ongoing process about such a modernisation for some time, but with an attention to the different elements of the decision of the [CJEU].” He also indicated that “[…] the Court has invalidated the Privacy Shield. We have to study the judgement in detail and carefully assess the consequences of this invalidation”.

The European Data Protection Board (EDPB), essentially on the front line of GDPR’s implementation in the EU and with third country, pragmatically announced that the EDPB will study the judgment and its implications and seemingly intends to reassure stakeholders from both sides, while stating: “ While the standard contractual clauses (SCCs) remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.”

The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities.

“Unofficial reactions” to the CJEU decision, U.S. and EC’s comments vary from one side of the Atlantic to the other.

A TedCrunch article[3], exploring – thoroughly – the potential impacts on the privacy shield repeal’s impact on cloud applications ironically states : “Short of radical changes to U.S. surveillance law, it’s tough to see how any new framework could be made to legally stick, though. Privacy Shield’s predecessor arrangement, Safe Harbour, stood for around 15 years. Its shiny “new and improved” replacement didn’t even last five.”

Lewis Silkin LLP, a U.K. law company, interestingly states, on Lexology.com website[4], its “immediate advice for organisations who transfer data outside the EEA (and of course specifically to the US) as follows:

  • Don’t panic.
  • Review existing international data transfers and data transfer mechanisms (hopefully a lot of this was done as part of your GDPR compliance) and identify areas of current non-compliance.
  • Wait for further guidance from EU/UK regulators and the FTC (including the arrival of the new SCCs from the EC).
  • Hope the EC and FTC come together quickly and create Privacy Shield Mark 2 for US transfers.
  • Where you are relying on SCCs for transfers to jurisdictions outside of the EEA including the US, consider putting together papers as to why you believe those territories offer adequate protection to data subjects so in the unlikely event you do come under challenge, you have the all-important written narrative to show the regulator.”

In such context, Think NEXUS will organise, through its policy working group, a webinar dedicated to the Privacy Shield in September (date not confirmed at the time of writing; to be announced on the project’s website)

[1] Court of Justice of the European Union, PRESS RELEASE No 91/20 – Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, 16 July 2020, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf

[2] Privacy Shield Program Overview. https://www.privacyshield.gov

[3] Legal clouds gather over US cloud services, after CJEU ruling, available at https://techcrunch.com/2020/07/17/clouds-gather-over-us-cloud-services-after-cjeu-ruling/

[4] “The EU-US Privacy Shield invalidated in Schrems II: what does the European Court of Justice ruling mean?”. https://www.lexology.com/library/detail.aspx?g=d175626a-49c1-4eb5-9ee5-e39da301bc5b

Webinar flyer

Webinar #2: Empowering Women in Tech – a Transatlantic vision

Think NEXUS (thinknexus.ngi.eu/) project is hosting a webinar on “Empowering Women in Tech – a Transatlantic vision” webinar, which will occur on July 23rd at 16.00h CEST.

Gender still represents a clear challenge to overcome for the Next Generation Internet. It requires balancing and reinforcing the digital competences and literacy of women to succeed in an increasingly digitalised and fast-changing labour market.

In this context, this free webinar will be focused on exploring how Europe and the United States approach the empowerment of women in the digital economy. Participants will have the opportunity to hear the experience and perspective from three female pioneers that have made a place for themselves in the sector, who will share insights and recommendations about how a Transatlantic alliance can thrive into a more equal model.

You can find the webinar’s agenda and registration link in the flyer below. Participation is free of charge but registration is required prior to the event.

Registration link: https://register.gotowebinar.com/register/6173094093056596752

news1

Think NEXUS #Webinar: Advanced wireless networking 5G and beyond

Think NEXUS (thinknexus.ngi.eu/) is hosting a webinar focused on “Advanced wireless networking 5G and beyond”, which will occur on July 22nd at 16.30h CEST (please see the flyer below).

During this webinar, participants will have the opportunity to learn more about the state of play of advanced wireless networking 5G in the EU and the USA. The webinar will count with the participation of key note speakers on this field of knowledge.

You can find the webinar’s agenda and registration link in the flyer below.

Free registration at: https://attendee.gotowebinar.com/register/8184315265026278928

 

 

I&E Group

Main outcomes from the first Innovation & Entrepreneurship Expert Group roundtable

The first Think NEXUS Workshop took place in the Walter E. Washington Convention Center , Washington D.C. on 10th July 2019, in parallel with the GCTC Expo. During the Workshop the 3 Expert Groups had their first round of face-to-face discussions, which were focused on fostering next EU-US collaboration over NGI thematic areas.

During the first Innovation & Entrepreneurship Expert Group discussion, experts encouraged to address friction points in terms of bilateral collaboration between the EU and the US. Some of the most relevant aspects that were considered during the round table are:

  • Concept of innovation.  Definitions matter; it’s hard to have effective understanding and build on concepts without them. One of the basic discussions that took place was about the vision of ‘innovation’ itself, and the role that private and public sectors should play in it, which slightly differs in each ecosystem – Innovation of the market versus technological innovation. Innovation in the USA has a clear go-to-market implication.
  • Role of public administration. Public agencies struggle to manage a landscape where technology changes at so rapid pace that is not realistic to consider the government as a thought leader in innovation. However, there are 2 potential aspects where policy can have a significant role: 1) allow innovation to happen, as regulation can get in the way of disruption; 2) identify how to bring society into the equation, highlighting the social issues and making them relevant. Technology sector may face the risk to lose the trust from the citizens if cases like privacy breaches and unauthorised exploitation of personal data continue. Policy should be adapted to a local vision.   In the case of Europe, the EC has a much stronger influence over the innovation ecosystem as a consequence of the weighty public funding instruments, and its regulatory strategy. A few experts consider this should not be the way to go as this top-down approach may create inefficiencies in the system and leaks in terms of resources.
  • Future of Work. Europe and the USA often have a different interpretation of the achievements/KPIs when it comes to the market impact of innovation.
  • Single Market. While the US already works as a unified market removing key differences between online and offline worlds, breaking down the barriers to cross-border online activity, the readiness of the European ‘Digital Single Market’ vision still lags behind. Up until now, EU citizens and businesses have often faced barriers when using online tools and services. These barriers mean that consumers have restricted access to some goods and services, businesses cannot reap all benefits from digitisation, and governments and citizens cannot fully benefit from this digital transformation.
  • Cultural gaps. Regardless of the multiple efforts towards a EU-US collaboration, there is a cultural divide that prevent an effective and stronger Transatlantic partnership. Europe has already achieved a mature level of collaboration among its member countries, often facilitated by common frameworks. However, when it comes to working with US partners, there are a number of significant differences in terms of culture, such as:
    • Semantics;
    • Communication;
    • Entrepreneurship in universities; and
    • Culture of failure.

Partners in both ecosystems interested in fostering a bilateral collaboration must understand that cultural divide is an issue and, therefore, need to make efforts to adapt to each other. One of the proposals suggested was to educate US partners into the European mind-set.

  • Joint narrative. It is crucial to identify shared ‘pains’ and propose strategic plans that will allow us to target priorities and objectives towards the Digital Economy and the evolution of Internet. It is important to recognize — and then reinforce — the fundamental principles and programmes that can underpin like-minded cooperation and global competitiveness in Focus Areas such as 5G and Artificial Intelligence around privacy, openness, trust and diversity.
  • Collaboration scheme. One of the main conclusions of the Expert Group was the lack of a proper and agile platform for collaboration between regions around technology innovation. A balanced instrument -not 100% sponsored by public or private funds, as this approach does not fully fit neither region- that could support and drive non-partisan leadership on forward-looking Transatlantic partnerships around innovation and entrepreneurship.

Stay tuned to know more about the outcomes of the Expert Group discussions!

[1] Cf. https://www.atlanticcouncil.org/

Main outcomes from the first Science and Technology Group roundtable

The first Think NEXUS Workshop took place in the Walter E. Washington Convention Center, Washington D.C. on 10th July 2019, in parallel with the GCTC Expo. During the Workshop, the 3 Expert Groups had their first round of face-to-face discussions, which focused on fostering future EU-US collaboration over NGI thematic areas.

The overall approach of this 1st ‘Science and Technology’ Expert Group discussion was to allow all experts to brainstorm about a pre-defined set of questions. However, in many cases, additional topics popped up during the discussion.

One of the first key topics that all experts raised is the fact that, in general, S&T polices need to synchronize with technology developments, as in many cases policies are considered to be obsolete. Moreover, the need for a joint funding scheme between the EU and US should be of high priority for both regions, which need to collaborate instead of competing. Another relevant issue to policy makers is the communication/coordination bottleneck between policy makers and funding agencies from both regions.

Adding to the above, most experts agreed that current networks are struggling to support NGI related research experiments as they are commercial focused and need to be significantly updated. In parallel with the previous statement, all experts concluded that Joint Experimentation Testbeds & Networks are needed, while the need of engaging big players (platforms such as Google, Amazon, etc.) to offer infrastructure for research is vital.

Experts also agreed on what are the key NGI technologies and also which are the most important characteristics that these technologies should have, in order to serve the purpose of the future internet. In addition, all experts agreed to the fact that standardisation bodies, industrial representatives and user representatives should also be included in the NGI discussion.

In conclusion, the Expert Group agreed that there are many options for transatlantic collaboration. Thus, topics that are not too reliant on the involvement of competing companies (e.g. that address world-wide societal challenges, or that focus on low-TRL fundamental research) are promising candidates. The meeting led to a fruitful discussion of numerous important aspects that helped both sides to understand in more detail the initiatives, the players, and their focus on either side.

Overview & Outcomes (in a nutshell)

  • Key Technologies: IoT, Digital ledger technology, Big Data, Trust & Identity, Cloud computing, Edge, AI, Real time control, Smart Infrastructures, 5G, Cloud to Edge, Edge to Edge Communication Technologies, Intelligent Operating Systems
  • Characteristics of Technologies: Enable mobility, more visual, less complex, more secure, autonomous deployment systems, data-centric services, distribution of computation elements (decentralised), distributing computation
  • Organic & Intelligent Internet

Key Suggestions (in a nutshell)

  • Formal Collaboration Mechanism between EU and US is needed for getting great results
  • The need to engage Standardisation bodies, Industrial Stakeholder Groups and User Representatives Groups
  • Policies need to synchronize with technologies
  • Identify Key Application Areas: Connected Healthcare, Global Challenges, Disaster Relief
  • Need for a joint branding: introduce NGI terminology in the US funding environment.

Stay tuned to know more about the outcomes of the Expert Group discussions!

Policy expert group

Main outcomes from the first Policy Expert Group roundtable

The first Think NEXUS Workshop took place in the Walter E. Washington Convention Center, Washington D.C. on 10th July 2019, in parallel with the GCTC Expo. During the Workshop, the 3 Expert Groups had their first round of face-to-face discussions, which focused on fostering future EU-US collaboration over NGI thematic areas.

Regarding the Policy Expert Group roundtable, the group started the day by identifying the topics / areas that were considered of relevance for the discussions. Thus, the first exchanges within the policy group tackled the identification of the main challenges the internet will have to face in the next 5 to 10 years.

Furthermore, this workshop enabled the experts to identify a first set of key challenges that are to be further explored within the next developments of the project.

Main outcomes:

NGI cooperation support schemes:

As a first observation, experts noted that EU and US innovation support schemes were intrinsically different when considering NGI. Transversal cooperation between research, industries and policy makers has no equivalent in the US. Moreover, most bilateral cooperation schemes do not provide funding for the other part, i.e., the EC finances EU stakeholders and US agencies their nationals. Thus, joint or coordinated funding schemes are lacking for allowing EU/US cooperation, notably concerning entrepreneurship support.

Key parameters: (1) Trust management in complexities environments; (2) Security intelligent trade-off (efficiency / security); and (3) Pilot Project in the field of Distributed Ledger Technologies (DLTs).

US and EU standardization bodies’ collaboration across NGI technologies:

As the NGI initiative explores new fields and technologies that are creating new international standards. These NGI-related technologies could confer with the opportunities to EU and US standardization bodies to set cooperation mechanisms breaking out silos and, thus, fostering the fast-tracking of standards, benefiting both sides in the international competition.

Key parameters: (1) IoT developments and NGI principles integration; and (2) Standardization bodies cooperation mechanisms.

Developing a common language on Artificial Intelligence:

AI is a major technology the NGI builds upon. As such, the development of solutions generate a new field of ruling for policy makers. However, the semantics behind AI-technologies and applications are not shared between both sides of the Atlantic (and event within each region itself). Cooperation on AI taxonomy could confer the opportunity to better tie EU and US developments and mutual understanding, thus fostering this technology’s growth.

Key parameters: (1) Translating AI developments in understandable terms for policy makers; (2) Algorithm fairness & transparency; and (3) Identifying the data per AI applications.

Building cooperation upon shared values:

The questions of trust and security in online voting systems as well as the ‘social cybersecurity’ (tackling aspects such as misinformation, etc.) of citizens were notably deemed as relevant within EU/US collaboration schemes, in line with the values these regions share.

In conclusion, the Expert Group agreed that there are many options for transatlantic collaboration, and it was discussed which topics and areas are most suitable for collaboration initiatives.

Key parameters: (1) Trust management in complexities environments; (2) GDPR / Californian policy; (3) Security intelligent trade-off (efficiency / security); (4) Pilot Project in the field of Distributed Ledger Technologies (DLTs); (5) Digital divide.

Stay tuned to know more about the outcomes of the Expert Group discussions!

IMG_20190710_165315

Think NEXUS US Workshop 2019

Think NEXUS organised its first Experts’ Workshop on July 10th in Washington DC, USA.

The Workshop started with an introduction session from Chris Greer, Director of the Smart Grid and Cyber-Physical Systems Program Office and National Coordinator for Smart Grid Interoperability, NIST. In addition, the opening remarks were presented by Peter Fatelnig, Minister Counselor for the Digital Economic Policy, European Union (EU) Delegation to the United States (USA).

Ken Calvert, Division Director for Computer and Network Systems in the Computer and Information Science and Engineering (CISE) Directorate, National Science Foundation (NSF), presented a session on “NSF-EU Collaboration in Networking Research”; and Andrew Sullivan, President & CEO of the Internet Society provided his views on Next Generation Internet.

During the day, each Expert Group had a breakout session to discuss the groups’  scope and goals and a session to discuss framework developments, operational objectives and the first sprint.

Finally, a “live” wrap-up of the outcomes of the breakout sessions was presented by the leaders of each Expert Group.

The Workshop was organised under the scope of the Global City Teams Challenge – Smart and Secure Cities and Communities Challenge (GCTC-SC3) – Expo, which is co-hosted by US National Institute of Standards and Technology (NIST), the US Department of Homeland Security Science and Technology Directorate (DHS S&T), and the National Telecommunications and Information Administration (NTIA).

Stay tuned for more news!”

Annotation 2019-05-24 174804

Think NEXUS Newsletter #1 is out!

Do you want to know more about Think NEXUS? Check out Think NEXUS’ first newsletter and find out the most recent project developments and upcoming activities.

Click here and feel free to share it!

Stay tuned for more news!”

ENRICH in the USA webinar: Big Data

The webinar will be held on May 28th at 4.30pm CET and will provide information aboutthe USA Big Data ecosystem. Please download the agenda here:

The webinar will be delivered by four speakers from the National Science Foundation (NSF) Regional Big Data Innovation Hubs. Two of the speakers are also Think NEXUS’ experts.

Speakers:

  • Dr. Katie Naum – Northeast Big Data Innovation Hub
  • Dr. Meredith Lee – West Big Data Innovation Hub
  • Dr. Renata Rawlings-Goss – South Big Data Regional Innovation Hub
  • Dr. René Bastón – Northeast Big Data Innovation Hub

Topics:

  • Relevant programs, projects and entities in each USA region
  • Characteristics of the Big Data ecosystems in the USA regions
  • Main regional challenges
  • Potential opportunities for cooperation in the USA

The webinar will be held in English and is free of charge, but registration is obligatory.

To attend the webinar please register here!

boarding-pass-banner

Think NEXUS US Workshop 2019

Think NEXUS is organising its first Workshop on July 10th in Washington DC, USA.

During the Workshop, the three project Expert Groups will have their first round of face-to-face discussions on EU-US collaboration on NGI topics.

The outputs of the Workshop will be fed into the future EU/US roadmap for NGI.

The Workshop will be organised under the scope of the Global City Teams Challenge – Smart and Secure Cities and Communities Challenge (GCTC-SC3) – Expo, which is co-hosted by US National Institute of Standards and Technology (NIST), the US Department of Homeland Security Science and Technology Directorate (DHS S&T), and the National Telecommunications and Information Administration (NTIA).

Flyer: