A mechanism for the transfer of data between the European Union (EU) and the US to replace the Safe Harbour agreement is achievable, according to an EU data protection official.
In October 2015, the European Court of Justice declared the Safe Harbour framework was invalid as a mechanism to legitimise transfers of personal data from the EU to the US.
But according to assistant European data protection supervisor Wojciech Wiewiorowski, the ruling did not say the Safe Harbour processes themselves were invalid, but that they were simply not enough.
“I am optimistic that we will find a solution, but I agree that the issue of US authorities being able to access data held by US firms needs to be addressed,” he told the ISSE 2015 security conference in Berlin.
However, Wiewiorowski said that to achieve a solution, there is a lot of work to be done not only by the US, but also the European Union.
On the planned EU General Data Protection Regulation (GDPR), he said it should be noted that data protection in the EU context is about fundamental rights, not just data management.
The GDPR is all about ensuring the protection of a fundamental human right to data privacy, added Wiewiorowski.
“The world has changed since the last directive was drawn up, and that means we have to adapt. But it does not mean that we have to abandon core European values,” he said.
In addition to achieving a single law for all European member states, a key objective of the GDPR is to ensure privacy by design and privacy by default in all activities and processes.
“But it is not only about data protection. It is also about ensuring a free flow of information. Therefore, a key objective is a secure environment for information exchange where the data subject, the human being is at the core,” said Wiewiorowski.
Another key characteristic of the GDPR, he said, is the shift from a prescriptive point by point regulation to one that is aimed at ensuring the accountability of those entrusted with personal data.
“The goal is more than mere compliance with point regulations. Oraganisations will be required to explain how they are taking privacy into account with every activity.”
It is also important to note, said Wiewiorowski, that in the GDPR, purpose limitation is still one of the core components.
“Organisations will still be required to show that the data they are collecting is suitable, necessary and not excessive, and they will be allowed to use the data only for the purposes it was originally collected,” he said.
On the topic of big data, Wiewiorowski said big data equates to big responsibly, especially in light of the fact that when very large data sets are involved, even anonymised and pseudonymised data could be considered to be personal data because of the possibility of de-anonymisation.
Finally, he said organisations should understand that it is not enough to think just about the law and that ethics often has an important role to play.
“When it comes to some data mining activities, ethics is often the only guideline to ensuring the right behaviour.”
According to Wiewiorowski, the final text of the GDPR is currently expected to be agreed by the end of 2015, to be ratified in early 2016, and to be published by the middle of 2016.