DATA SECURITY

After two years of negotiations, political leaders in the EU and the US have presented an agreement in principle that will ensure a safer flow of data across the Atlantic. Far from impressed everyone.

Before the weekend, European Commission President Ursula von der Leyen and US President Joe Biden presented in a joint statement a new agreement in principle, which will resolve many of the complications that have arisen after the so-called Schrems II decision starting in 2020.

This decision means that companies exporting personal data from Europe and the UK to third countries, including the United States, must carry out a comprehensive survey of these transfers and a detailed assessment of the legal and practical risks of surveillance by public authorities in the recipient country. .

The new text of the agreement, among other things, states that the United States seeks to introduce more “proportionate” reforms in terms of oversight to safeguard the country’s security.

READ ALSO: Now it is very important to find alternatives to Google Analytics

Provides a secure foundation

Mads W. Egseth is a consultant at CIO Advisory at KPMG and has been following developments in European privacy law closely. He believes this is an auspicious day for transatlantic privacy and cooperation.

– Finally there is development in the area. Now, the transmission base required to transmit the type of personal data that has been a problem since the Privacy Shield agreement was canceled two years ago has come into effect.

– The risk is lower now. “We hope especially the public sector, for example the health sector, which has been reluctant to get into computer projects where Norwegian personal data has to be processed in the US, will now look at the possibility of finding a secure cloud solution,” he said.

It is not only SOEs that are affected. Anyone using Google analytics or other data solutions that send personal data to the United States has been advised by the Norwegian Data Protection Authority to look for alternatives.

– All processing of personal sensitive data has been affected. The fact that the EU and the US have now reached an agreement provides a safe basis for continuing the types of work that require processing beyond Norway’s borders through the EEA agreement.

Egseth is aware that the final contract language hasn’t been drafted yet, so it remains to be seen what the actual changes will be.

– In short, it will probably be a lot of the same things you had before Privacy Shield was removed, but with expanded legal security mechanisms.

Want a deal on zero espionage

Some players, on the other hand, point to weaknesses in the agreement. Among them is Maximillian Schrems, a lawyer and Internet activist who is a prime mover in many lawsuits in the EU, which have challenged tech giants as well as authorities.

In a statement published by the non-profit organization Noyb (“none of your business”), Schrems points out first and foremost that there is no specific legal text that deals with treaties in principle.

He estimated that it would still be several months before such a text existed.

– It is a pity that the EU and the US did not use this situation to agree a “no espionage” agreement, with basic guarantees between like-minded democracies. Customers and companies face several years of legal uncertainty, Schrems believes.

Following the Schrems II ruling, the Norwegian toll company Ferde, among others, has been fined NOK 5 million for the illegal transfer of personal data about Norwegian motorists to China.

READ ALSO: The new line of the European Union very hard hits the biggest technology companies

Can stop data transfer

According to a report from January prepared by law firm DLA Piper, creating Schrems Verdict II not only risks fines and demands for damages, but also threatens to stop the transfer of personal data.

– Threats to stop the transfer of personal data are potentially far more dangerous and expensive than threats of fines and claims for damages. The focus on transfers and the significant work required to achieve compliance inevitably means that organizations have less time, money and resources to focus on other privacy risks, said DLA Piper Norway expert group for data privacy and security, Petter Bjerke, when the report said. launched. .