Agreement on proposals for Safe Harbour II is expected to be achieved by the end of January, Wojciech Wiewiorowski, the Assistant European Data Protection Supervisor (EDPS), Belgium, told some 400 delegates at Information Security Solutions Europe (ISSE 2015) in Berlin today.
He explained that Safe Harbour was only intended as an interim measure until the US caught up with European data regulation, a decision by the European Commission that stuck for 15 years until it was declared invalid this year.
Wiewiorowski said: “I believe solutions will exist in the future (between Europe and) the US and another partner. If they do not exist we will have treat the US the same as Iran and China, which is not what we want. Safe Harbour II has already been under discussion for a year and a half. I believe it will finish by end of January – but is it the solution that will be accepted by the parliament? I am optimistic that we will find a solution between US and European market.”
But Norbert Pohlmann, chairman/ IT security director TeleTrusT, who moderated the session, entitled: Requirements on new regulations and current changing needs from the view of the EDPS, noted that one of the challenges faced was differing cultural perspectives, with 76 percent of US respondents to a recent survey agreeing that private data collected by a company belonged to that company, whereas only 22 percent of German respondents agreed.
Talking to SCMagazineUK.com, Wiewiorowski confirmed: “Eleven of 13 objections from the European Commission have been resolved, but the two that remain are that the American authorities are able to gain access to data held by American companies, wherever held, and second, than only American citizens are able to seek redress in the American courts for breaches (eg of privacy ) by American companies.”
He explained that the problem of the US government having access to data stored by US companies was not covered by the original agreement. In addition to changes wanted from the Americans, Europe also has a lot to do as there are US accusations that activities similar to those ascribed to the NSA also going on in Europe “...and it's true, when it comes to oversight of surveillance in Europe – we don't know too much about what's happening in many countries.”
Whatever the inadequacies of surveillance oversight proposals made in the UK, the point was made that at least a legal basis was being established, and a certain level of transparency, whereas in many countries in Europe it was simply not in the public domain as to what they may or may not be doing.
Wiewiorowski added: “We have to have a directive for law enforcement activities – I can't say that the proposal in the trialogue [discussion to get agreement between the European Commission, Council of Europe and European Parliament] meets all expectations on law enforcement.” He also explained that it was not entirely clear what legal changes the commission expects to be made on the US side.
In the wider session, Pohlmann also noted how we are building the internet society with increasing numbers of local services being linked to the internet, creating better connectivity, but that IT security was not secure and trustworthy enough, and so risked damaging growth. There were also concerns with the business model of payment with personal data, without an option to change this model and to pay cash, not with data.
Among the figures cited to demonstrate this state of affairs, he noted that industrial espionage has caused €51 billion of annual damage in Germany alone while cyber-crime generated at least €100 million per annum losses in Germany – even though it was known that there are a lot of unreported cases.
A key point of Wieworowski's presentation was to note that we are all data subjects. The data is about us, how we behave and how we see the world. It goes far into the dignity of the individual. Consequently protection of personal data now a fundamental right in the EU, for citizens and those cooperating with it. Yet conversely, EC institutions such as Parliament are not restricted regarding what they are able to do with this data.
“Therefore the fundamental rights need to be clarified,” concludes Wieworowski, adding that while EDPS comprises authorities in each of 28 states, and in some countries such as Germany, at a local province level, as well as on a European level, there is no central control of data protection.
The main goal remains to facilitate free flow of data, not just security. But reform, while needed, is not a Copernican revolution, removing an error, rather it is reaffirming the person is at the centre of the legislation, and that the approach should be codified both in law and in ethics.