13.6 C
London
Tuesday, September 26, 2017
Home Tags Privacy Shield

Tag: Privacy Shield

The IAPP-EY Privacy Governance Survey shows marked interest in the Privacy Shield framework to transfer personal data.
Whitehall can't even convince UK it's not watching everything we do UK surveillance laws could be an obstacle to the creation of a US-Europe Privacy Shield-style arrangement post-Brexit.…
Spies given carte blanche thanks to Trump order The critical transatlantic data agreement, named Privacy Shield, is worthless, gives intelligence agencies complete free reign, and should be discarded, according to Human Rights Watch and the American Civil Liberties Union.…
It's not fine The acting head of the US Federal Trade Commission, Maureen Ohlhausen, has sought to assure people that the critical Privacy Shield data-sharing agreement will hold up despite President Trump's recent executive orders on immigration.…
In his first fortnight in office, President Trump has shown himself willing to upend precedents and protocols. He may also have shredded the basis for a data-sharing framework that U.S. businesses -- particularly tech companies -- rely on to facili...
President's executive order causes jitters, but data agreement became law today The transatlantic Privacy Shield data transfer agreement is not at risk from Trump's executive actions, former FTC Commissioner Julie Brill has promised.…
We are all 'Removable Aliens' now Analysis  President Trump’s Executive Order (Enhancing Public Safety in the Interior of the United States) has caused controversy over its temporary ban on all Muslims entering the USA from certain countries.
It has consequences for data protection.…
Europe's Privacy Shield shaken by US prez Analysis  US President Donald Trump may have undermined a critical data sharing agreement between the United States and Europe that internet giants rely on to do business overseas.…
Privacy Shield, the new international framework allowing companies to transfer customer data between the EU and the U.S., is getting good reviews so far, but some companies aren’t betting on it for the long term. Companies using Privacy Shield worry that it may face the same fate as long-used predecessor the Safe Harbor Framework, which was overturned by the European Court of Justice in October 2015 after revelations of mass surveillance by the U.S National Security Agency.  Digital Rights Ireland and French civil liberties group La Quadrature du Net have also challenged Privacy Shield in court, saying the new framework doesn’t adequately protect Europeans’ privacy. While U.S. companies are embracing Privacy Shield, many European businesses are “still concerned that Privacy Shield will not hold up under court scrutiny, and they will find themselves in the same scenario as they were in October 2015, when the Safe Harbor agreement was struck down,” said Deema Frei, global privacy officer at Intralinks, a New York cloud-based content collaboration provider. Some European companies see Privacy Shield certification as a “tick box” compliance exercise, she added. With some doubts about its long-term viability, companies should also consider other data transfer agreements, such as EU model clauses or binding corporate rules, she recommended. However, if companies can get certainty about Privacy Shield’s future, and if it won’t be “attacked in the long term by data privacy activists trying to discredit it and challenge its validity, I believe it will work in the long run,” Frei added.  More than 1,100 users As of early December, about five months after Privacy Shield went into effect, about 1,150 U.S. companies had signed up to handle European customer data under Privacy Shield, up from about 500 at the end of September.

Another 600 U.S. companies had applications under review. Those numbers compare to more than 4,500 U.S. companies that had participated in the Safe Harbor data-transfer program, according to the U.S.

Department of Commerce. Like Intralinks, cloud security firm CipherCloud is worried about the legal challenges to Privacy Shield, said David Berman, senior product marketing manager there. “If a European Court decision does invalidate Privacy Shield, there will be another period of uncertainty” similar to what happened after the Safe Harbor agreement was struck down, he said. “If the new framework can withstand legal challenges it should continue to attract companies that want an overarching mechanism to transfer EU data to the U.S.” Small and medium-size businesses, as well as cloud providers, seem to be embracing Privacy Shield, but the new data transfer rules impose more obligations than the old agreement, Berman said.  “Privacy Shield has more privacy protections for individuals than Safe Harbor, so firms will have to be more diligent and ensure they are complying with the new privacy principles or risk public disclosure of a violation by the U.S.

Department of Commerce,” he said. “Some firms may find the increased oversight, additional requirements, and sanctions for non-compliance under Privacy Shield a barrier to adoption.” Compliance and surveillance With the number of Privacy Shield companies still lagging behind those that used Safe Harbor, this could indicate that Privacy Shield is more difficult to comply with, added Elodie Dowling, corporate vice president and general counsel for Europe, the Middle East, and Africa at BMC Software. In addition to the legal challenges, some EU data privacy regulators have suggested that Privacy Shield “does not do enough to curtail U.S. surveillance,” Dowling added.

EU privacy regulators will review the agreement in 2017. The legal challenges may be only beginning, she added. Max Schrems, the Austrian man who led the fight against Safe Harbor, has questioned how 500 companies received certification in the first month Privacy Shield was available. “This is undoubtedly showing that there are serious concerns around ... Privacy Shield and its ability to indeed protect EU citizen’s fundamental right of privacy when their personal data is being transferred to the U.S.,” Dowling said. BMC has not yet signed up for Privacy Shield, instead deciding to “rely on another mechanism to safely and legally transfer personal data outside of the EU anywhere in the world”—through binding corporate rules. For Privacy Shield to succeed, it needs support from the EU, including the data protection authorities in each member state, added David Hoffman, Intel’s associate general counsel and global privacy officer. Intel supports the new agreement but wants to keep other mechanisms, such as binding corporate rules, in place as well, he said. If data transfers are between subsidiaries of the same company, companies can use binding corporate rules to define the data responsibilities.

As an alternative to Privacy Shield, companies can protect external transfers through model contract clauses restricting what the receiving company may do with the data.  But companies are concerned about the future of those alternate data transfer methods as well, Hoffman said. While Privacy Shield and alternative transfer methods are in place for now, the future is uncertain. “Some of the same arguments about Safe Harbor and Privacy Shield can be made about alternative transfer methods,” he said. “If there are concerns about law enforcement and national security agencies accessing information, then there would be the same concerns about alternative methods because those agencies can also access it when it’s transferred by other means.”
With the current Windows Insider cycle previewing the Creators Update for Windows 10, Microsoft has started talking about what it’s going to mean for the enterprise.

There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management. The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers.
It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017. What is Windows Defender ATP? There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools.

Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network. Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches.

ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised.

That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment. Businesses with customers in the European Union will already be aware of the requirements of the U.S.-EU Privacy Shield agreement and the upcoming implementation of the EU’s General Data Protection Regulation breach notification rules—along with the possibility of heavy fines. Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties.

That means it’s not a matter of if but of when you’re attacked. ATP’s afterbreach analysis Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened.

That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions. A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices.

By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how.

The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections. Note that when attack information is shared outside Microsoft, it’s anonymized and only used to build improved detection and response tools. One important consideration: These sensors aren’t delivering telemetry to Microsoft all the time.

They’re only accessed when you suspect you’ve been breached and are using Windows Defender ATP to respond to the attack. ATP is also “a backstop for when threat prevention fails,” says David Weston, the head of research at the Windows Defender ATP group. Using ATP to quarantine infected systems allows deeper forensic analysis, as well as the opportunity to remove malware and close down exploits.

The ability to quickly isolate suspected breaches is key, especially as it’s handled from outside your network, using a cloud service, which reduces the risk of attackers seeing your response to their intrusion because you are using uncompromised systems to manage your response. IT systems management in the cloud Windows 10 Creators Update’s ATP release will build on the cloud-based security tools released with the Windows 10 Anniversary Update, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold. It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud.

Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used.

Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments. The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.
Uncle Sam asked to come clean on what info it sought.

Good luck with that Yahoo! has asked the US government to break its silence on the secret court order that forced the Purple Palace to scan its webmail users' messages for specific keywords. In a letter [PDF] to US Director of National Intelligence James Clapper, Yahoo! general counsel Ron Bell says that national security laws prevent the online service from being able to reveal exactly what information it pulled from people's private mail and why it did so. Bell begins by referencing the multiple reports that have emerged about the alleged program, in which Yahoo! has been accused of quietly installing a buggy kernel-level module in its Linux servers to sniff incoming network traffic and pull out conversations for the NSA or FBI to inspect. This software was apparently hidden from Yahoo!'s own internal security team – a move that led to the web giant's chief security officer quitting in protest.
It was installed following a secret order granted by America's Foreign Intelligence Surveillance Court, it is understood. "Yahoo was mentioned in these stories and we find ourselves unable to respond in detail," Bell writes, urging the US government to explain the situation for it: "Your office, however, is well-positioned to clarify this matter of public interest." The Yahoo! letter goes on to state that the company would like to be more open to the public and that it "consistently campaigns for government transparency about national security requests." Bell then goes on to suggest that the government loosen its hold on companies from being able to share further details with the public about how and when it is asked to hand over people's private information. "Recent news stories have provoked broad speculation about Yahoo's approach and about the activities and representations of the US government, including those made by the government in connection with negotiating Privacy Shield with the European Union." "That speculation results in part from lack of transparency, and because US laws significantly constrain – and severely punish – companies' ability to speak for themselves about national security-related orders, even in ways that do not compromise US government investigations." The letter comes as Yahoo! finds itself trying to tamp down the outcry over not only the government dealings, but also security concerns from a massive hack on the Mail service that has thrown its $4.8bn acquisition at the hands of Verizon into some doubt. ®
Queued up to self-certify Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses. Data storage and software provider Dropbox has also self-certified under the Privacy Shield.

The companies are the latest major US technology businesses to sign up to the scheme.

Google's certification was registered on 22 September and Dropbox's on 23 September. Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed. Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield. Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place. The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA). However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield. Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework.
It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors". Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation. Copyright © 2016, Out-Law.com Out-Law.com is part of international law firm Pinsent Masons.