New EU-US Data Protection Agreement Imminent

Written by Siddharth Manohar

Data exchange flowing from the EU (specifically the European Economic Area) to the US currently has no legal framework regulating it. Does it mean that any data transfer from EU to US is illegal?  In my previous post on the issue I mentioned that the old agreement regulating the data transfer had been struck down at the Court of Justice of the European Union (CJEU). National data protection authorities in the EU have taken a pragmatic step by holding back on attacking all data transfer, until a new agreement is reached to replace the old Safe Harbour Agreement.

A breakthrough in this respect came about a couple of weeks back, with the European Commission announcing that they have agreed on a new framework to protect the rights of individuals who give data to US companies that process the data in their local servers. The agreement once finalised will replace the Safe Harbour principles in order to legalise the data transfer. This new framework, called the US-EU Privacy Shield, has three sets of strong obligations: data handling, transparency, and redress mechanisms.

The first major obligation is on US companies to make and publish commitments on data protection and individual rights. These commitments hold them accountable to US Federal Trade Commission (FTC), as well as the diktats of the European Data Protection Authorities (DPAs). The second consists of restrictions on surveillance practices by US state authorities. Any kind of surveillance will now be subject to clear limitations, safeguards and oversight mechanisms, and the methods will be only those that are necessary and proportionate. Mass surveillance has been completely ruled out, and meetings to review these practices have also been planned for future follow-up. The third part of this arrangement consists of a redress mechanism. European DPAs can refer cases to the US Department of Commerce and the FTC, and the option of alternate dispute resolution is also provided.

The parties are now working towards the measures required to put the new agreement in place, specifically the US, who will try to formalise the commitments made in the agreement. The European Commission on the other hand is preparing a draft for an ‘adequacy decision’ that member states can adopt to formalise the process on the EU side. The full text of the agreement is expected to be made available in the coming weeks.

The agreement has also come under criticism from privacy experts, who claim that the agreement suffers from the same weaknesses of the Safe Harbour agreement. They argue that this agreement is a mere political compromise that does not help protect the rights and data of users. This would require amendments to the national laws in both locations. Controversial provisions in US law that continue to authorise infringements on users’ rights are still effective, like Section 702, which allows for surveillance of data relating to non-US persons to be carried out in the US. Executive Order 12333, which deals with surveillance outside of the US, has no legal oversight mechanism whatsoever. It is these laws that will need amendments in order to make surveillance subject to conditions of necessity and proportionality.

The other persistent problems which have remained include the provision for self-certification, which provides inadequate protection against ensuring enforcement of privacy standards. A recent amendment to a Bill which would provide redress mechanisms for EU users to enforce rights over their personal data, also adds to the problems which plague the possible effectiveness of the new agreement. The long term solution to this situation does not look like it will arise from a single event or set of negotiations, and we now await the release of the full text of the agreement to see where we can go from here.

Nsa-eagle-white

Cybersecurity Cooperation – India’s Latest Bilateral Arrangements

By Shalini S

The current Indian Government has continually offered significant strategic thrust to cybersecurity and related issues. In November 2015 alone, India established multiple collaborative partnerships that for cooperation in cybersecurity with various countries. This is a welcome move for the sector which continually presents advanced security challenges. There is a demonstrated interest in addressing this serious contemporary concern. In addition, efforts are being made to establish extensive cybersecurity cooperation to ensure protected cyber networks. The latest bilateral ties established by India to boost cybersecurity cooperation are elucidated below.

India and UK signed a first of its kind joint statement that will enable them to collaborate and jointly educate and train its cybersecurity professionals. Together, the countries are also slated to establish a cybersecurity training centre to enable dialogue and exchange of expertise. Additionally, the UK will also help setup a new cybercrime unit in India. This joint statement released after Prime Minister Narendra Modi’s visit to the UK closely follows the visit of UK’s first cybersecurity delegation to India in October 2015.

For the first time, India and China have also decided to establish ministerial mechanisms to effectively tackle transnational crime and specifically delineated cybercrime cooperation as a measure to boost security cooperation between the countries. The new high-level mechanism will be established under the home ministries of both the countries and will result in information exchange, law enforcement and technical capacity building to jointly combat cybercriminal activity. An official bilateral document endorsing this new security collaboration is yet to be signed.

A joint statement from Prime Minister Narendra Modi and his Malaysian counterpart released this week, revealed that their delegation-level consultations between the countries had resulted in the signing of a Memorandum of Understanding (MoU) aimed at strengthening cooperation on cybersecurity. As this MoU was signed between Indian Computer Emergency Team (CERT-IN) and CyberSecurity Malaysia (national cybersecurity agency), closer cooperation in cyber-policy evolution, technological expertise exchange and incident management can be expected.

Later in the same week, a similar agreement for bilateral cooperation and collaboration in cybersecurity measures was signed between CERT-IN and SingCERT (Singapore’s Computer Emergency Response Team). The MoU which envisions research collaborations, in the sector, between the two countries, also agreed to setup appropriate mechanisms to facilitate future dialogue on prevalent policies, best practice, bilateral consultations and real-time exchange of information and has established a broader framework of cooperation between the countries.

India’s recently established and renewed bilateral ties with these countries hinges on mutual sharing of information and best-practices, both critical in constructing a shared response to conspicuous cyber incidents. As these collaborations also come in the wake of joint commitment of India and US to strengthen cooperation on a range of cyber issues, India’s serious commitment in fostering multiple bilateral dialogues and cooperation on cybersecurity and related issues is apparent and must be lauded.

US-India Cyber Dialogue 2015

Following India’s splash in the global internet governance scene with the statement made by the Hon’ble IT Minister at ICANN53, the recently held 4th United States – India Cyber Dialogue is yet another key event in India’s internet governance landscape.

India and the United States have committed to strengthen their cooperation on “a range of cyber issues including cyber threats, enhanced security information sharing, cyber incident management, cybersecurity cooperation in the context of Make in India, efforts to combat cybercrime, Internet governance issues, and norms of behaviour in cyberspace”.

The following is the text of the Joint Statement:

“To increase global cybersecurity and promote the digital economy, the United States and India have committed to robust cooperation on cyber issues. To that end, the United States and India met at the U.S. Department of State in Washington, DC on August 11 and 12 for the 2015 US-India Cyber Dialogue.

The whole-of-government Cyber Dialogue, fourth in the series, was led by the U.S. Cybersecurity Coordinator and Special Assistant to the President Michael Daniel and by India’s Deputy National Security Advisor Arvind Gupta. The Department of State Coordinator for Cyber Issues Christopher Painter and the Ministry of External Affairs Joint Secretary for Policy Planning, Counterterrorism, and Global Cyber Issues Santosh Jha co-hosted the Dialogue. U.S. whole-of-government participation included the Departments of State, Justice, Homeland Security, Treasury, and Commerce. The Indian government was represented by the National Cyber Security Coordinator at the National Security Council Secretariat, the Ministry of External Affairs, the Ministry of Home Affairs, and the Ministry of Communication and Information Technology.

The delegations discussed a range of cyber issues including cyber threats, enhanced cybersecurity information sharing, cyber incident management, cybersecurity cooperation in the context of ‘Make in India’, efforts to combat cybercrime, Internet governance issues, and norms of state behavior in cyberspace.

The two delegations identified a variety of opportunities for increased collaboration on cyber security capacity-building, cyber security research and development, combatting cybercrime, international security, and Internet governance, and intend to pursue an array of follow-on activities to bolster their cyber security partnership and achieve concrete outcomes.

In addition to the formal Dialogue, the delegations met with representatives from the private sector to discuss issues related to cybersecurity and the digital economy. The Indian delegation also met with Deputy Secretary of State Antony Blinken and Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco.

The two countries decided to hold the next round of the Cyber Dialogue in Delhi in 2016.”

With India’s vision to transform the country into a digitally empowered society and knowledge economy through the Digital India programme, the support of strong cybersecurity infrastructure becomes essential. Bilateral, multilateral and multi-sectoral cooperation in this area will be a space to watch out for.