EU-U.S. commercial data transfer pact enters into force

Servers in Iceland

By Julia Fioretti

BRUSSELS (Reuters) – A new commercial data pact between the European Union and the United States entered into force on Tuesday, ending months of uncertainty over cross-border data flows, and companies such as Google <GOOGL.O>, Facebook <FB.O> and Microsoft <MSFT.O> can sign up from Aug. 1.

The EU-U.S. Privacy Shield will give businesses moving personal data across the Atlantic – from human resources information to people’s browsing histories to hotel bookings – an easy way to do so without falling foul of tough EU data transferral rules.

The previous such framework, Safe Harbour, was struck down by the EU’s top court in October on the grounds that it allowed U.S. agents too much access to Europeans’ data.

Revelations three years ago from former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance practices caused political outrage in Europe and stoked mistrust of big U.S. tech companies.

In the months that followed the EU ruling companies have had to rely on other more cumbersome mechanisms for legally transferring data to the United States.

The Privacy Shield will underpin over $250 billion dollars of transatlantic trade in digital services annually.

Google and Microsoft said they would sign up to the Privacy Shield and would work with European data protection authorities in case of inquiries.

A person familiar with social network Facebook’s thinking said the company had not yet decided whether to sign up.

“It’s too early to say as we haven’t seen the full text yet but like other companies we will be evaluating the text in the coming weeks,” the person said.

The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to U.S. servers by giving EU citizens greater means to seek redress in case of disputes, including through a new privacy ombudsman within the State Department who will deal with complaints from EU citizens about U.S. spying.

However the framework also faces criticism from privacy advocates for not going far enough in protecting Europeans’ data and is widely expected to be challenged in court.

Max Schrems, the Austrian law student who successfully challenged Safe Harbour, said the Privacy Shield was “little more than a little upgrade to Safe Harbour”. However he added that he did not have plans to challenge it himself for the time being.

“We are confident the framework will withstand further scrutiny,” Penny Pritzker, U.S. Secretary of Commerce, told a news conference.

EU data protection authorities, who had demanded improvements to the Privacy Shield in April, said they were analyzing the framework and would finalize a position by July 25.

(Editing by Alexandra Hudson and Louise Heavens)

Officials State Hackers Stole 5.6 Million Fingerprints, More Than Previously Reported

The Office of Personnel Management (OPM) announced that 5.6 million fingerprints were stolen in April’s cyber attack, more than five times the amount the agency first reported.

The hackers were able to obtain fingerprints, social security numbers, names, addresses, health information, and financial data from millions of government employees. The OPM stated in June that personnel records of 4.2 million people had been compromised in the cyber attack. A month later, the agency announced a second attack that was targeting 21.5 million people and only 1.1 million fingerprints had been stolen.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology. “I’m surprised they didn’t have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

The OPM tried to downplay the situation by stating that the ability to abuse fingerprint data was “currently limited.” The agency did warn that as technology improved there could be a higher chance of someone using their fingerprints as a guarantee of identity. Considering there are now security measures for unlocking smartphones and home security systems using a person’s fingerprints, that day may not be as far as the OPM states.

Investigations are continuing as officials are still trying to find who was responsible for the cyber attacks. Meanwhile, the OPM is still in the process of notifying everyone who had information stolen. According to the agency, they will provide free identity theft and fraud protection services to those who were affected by the cyber attack.

U.S. officials have blamed China for the OPM breach. China has continued to deny the attacks. The announcement comes during the second day that Chinese President Xi Jinping is visiting the United States. Jinping is due to meet President Obama in Washington on Friday.