(테크놀로지) 사페 항에서 EU 개인정보 감시단체 모임에 벌벌떠는 테크놀로지 기업들

출처: http://www.bbc.com/news/technology-35460131

Safe Harbour: Tech firms shudder as watchdogs meet 사페 항에서 EU 데이타 감시단체 모임에 벌벌떠는 테크놀로지 기업들

• 2 February 2016
 
• From the sectionTechnology

Image copyrightThinkstock

Image captionData protection authorities could place limits on the amount of personal data sent to the US

A meeting of EU data watchdogs is set to have wide-ranging ramifications for the way businesses handle data. 유럽연합 개인정보 감시단체 모임이 정보통신 기업들이 개인정보를 취급하는 방식에서 초래된 다양한 범위의 결과들을 내놓을 예정이다

Regulators need to decide how to act in light of a court ruling last year that invalidated the Safe Harbour agreement with the US. 담당자들은 사페 항에서 유럽연합이 미국과 맺었던 개인정보 관련 협정을 무효화시킨 작년의 법원판결에 따라 어떻게 행동할 건지 결정할 필요가 있다.

The pact made it relatively easy for companies to send personal information from Europe to data centres in the US for processing.

Lawmakers are still negotiating a replacement trade deal.

The data protection authorities are expected to make their views know on Wednesday at the end of the two-day event.

But their determination could affect tech giants including Google, Apple and Facebook - whose cloud services rely on such transfers - as well as thousands of smaller business who have outsourced payroll processing and other tasks to US-based organisations.

Remind me again, what exactly is Safe Harbour?

Image copyrightThinkstock

Image captionThe Safe Harbour pact meant companies did not have to seek authorisation for individual data transfers

The EU forbids its citizens' personal data from being sent to places that don't guarantee "adequate" privacy protections. 유럽연합은 "적절한" 개인정보 보호정책이 보장되지 않는 곳에 시민의 개인정보를 보내는 것을 금하고 있다.

In order to avoid this restriction bogging down transfers to the US, it was decided that American firms could self-certify that information sent to their data centres would be properly protected.

This Safe Harbour agreement came into force in 2000. 사페 항 협의는 2000년 발효되었다.

About 5,000 US companies took advantage of the deal to facilitate transfers. 이로 인해 약 5천 개의 미국회사들이 유럽연합 시민들의 개인정보를 취합할 수 있게 되었다.

What went wrong?

Image copyrightGetty Images

Image captionEdward Snowden's leaks led to Safe Harbour being called into question

In 2013, the whistleblower Edward Snowden leaked a mass of documents detailing the US security services' cyber-spying operations. 2013년 내부고발자 에드워드 스노우덴이 미국 정보기관의 온라인 감시 작전에 대한 세부문서를 대량 유출했다.

In light of the revelations, an Austrian privacy campaigner - Max Schrems - asked Ireland's data regulator to audit what information Facebook might be sharing with the NSA. 이 문건에 의하면, 오스트리아 프라이버시 운동가 Max Schrems이 아일랜드의 개인정보 담당자에게 페이스북이 어떤 정보를 NSA와 공유하는지 감사를 실시할 것을 요청한 바 있다.

It declined citing Safe Harbour, but the matter was referred up to the European Court of Justice. 사페항을 언급하지 않았으나(거절), 문제의 불똥이 유럽사법부로 튀었다.

Last October, the court ruled that the the decision to enable Safe Harbour was invalid, and as a consequence national data watchdogs could indeed review transfers on an individual basis. 그래서 작년 10월 법원은 사페항 협약의 결정은 무효하다는 판결을 내렸고, 그 결과 개인정보 감시단은 개인차원의 정보유출을 검토할 수 있었던 것이다.

So, did the regulators try to stop transfers straight away?

Image copyrightThinkstock

Image captionWatchdogs have held off revising data transfer guidelines until now

No.

The EU and US had already been negotiating a new data transfer pact for some time, dubbed Safer Harbour.

The aim is to give European citizens greater privacy safeguards without stopping US tech firms from being innovative.

The watchdogs opted to observe a grace period in order to see if a new pact might be agreed before 31 January that would influence their decision.

Although negotiators are reported to have made progress, no new deal has yet been agreed.

Wait a minute. Didn't several of the tech firms suggest they could carry on regardless despite the Safe Harbour ruling?

Image copyrightThinkstock

Image captionTech firms believed they could still authorise data transfers to the US by completing legal paperwork

Right. Many of the firms affected initially thought the ruling would just be an inconvenience as they could get their lawyers to draw up papers known as "model contract clauses" and "binding corporate rules" to keep the transfers legal.

This might have involved a lot more work, but the companies believed that the contracts - already used to send data to other parts of the world - could also be used to authorise the use of US data centres.

However, many expect the regulators will think that would be against the spirit of the ECJ's ruling.

"When you look at the grounds the court used to invalidate Safe Harbour, you could apply more or less verbatim the same reasons to invalidate the alternative methods," commented Annabelle Richard, a lawyer at Pinsent Masons.

"That would make it extremely difficult to export date from the EU to the US.

"It would become almost an exception to have permission, and I don't see how in reality that could work out because many companies depend on the transfers from an economic perspective."

What are the tech giants saying?

Image copyrightThinkstock

Image captionBusiness leaders want guidance on how they should proceed

The big tech firms declined to provide comment for this article, but several indicated that, at the very least, they needed clarity on what the rules now were.

"Some organisations have sought to repatriate data and minimise the number of data transfers that they have to undertake," added Antony Walker, deputy chief executive of the lobby group TechUK.

"But other companies' structures and processes mean that's almost impossible to do."

Is there a way out of this mess?

Image copyrightThinkstock

Image captionIt is not too late for a new Safe Harbour deal to be struck

European Commission and US government negotiators could still clinch a deal.

It has emerged that the Americans have offered to appoint an ombudsman to oversee complaints and respond to inquiries about alleged privacy breaches as part of a proposed Safer Harbour deal.

The Europeans still want guarantees that such an official would have real teeth and would not stay quiet if the security services were found to have overstepped their bounds.

But the point is that if the data watchdogs believe that a deal is close they may try and fudge Wednesday's announcement to give the talks more time.

The alternative is that the regulators do indeed try and enforce a data transfer clampdown.

One of the tech companies has suggested that if that happens there would be legal grounds to challenge the move and seek to bring the matter back before the ECJ.