At a glance.
- White House executive order on EU-US data sharing.
- US federal government considers support for cyber insurance industry.
- International spyware abuse inquiries.
White House executive order on EU-US data sharing.
On Friday US President Joe Biden issued an executive order codifying Privacy Shield 2.0, an agreement established earlier this year regarding how the EU and the US share individuals’ private data. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House stated. Indeed, this transfer of data is essential, but the EU has expressed concerns that the US has too much access to European data, and the Schrems II case highlighted the fact that EU citizens had no rights to petition the US government over issues concerning data collection. As Computing explains, in July 2020 the Court of Justice of the European Union (CJEU) ruled that, under EU law, the prior EU-US Privacy Shield framework was not a valid data transfer mechanism because it gave the US excessive freedom to monitor European data.
With the intent of assuaging the EU’s concerns, Biden’s EO establishes the Data Protection Review Court, which will give EU citizens the opportunity to challenge how US security agencies use their data. It also sets several restrictions on data collection, stating that any intelligence data gathering must be “proportionate” and that only very specific types of data can be collected. However, as the Register notes, critics argue the EO is unlikely to satisfy EU law. Austrian privacy activist Max Schrems commented, "In the end, the CJEU's definition will prevail, likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans.” Ursula Pachl, deputy director general of the European Consumer Organization, told Wired, “However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order.” The EO will now be sent to Brussels, where EU officials have up to six months to review it. A new data agreement is expected around March 2023, although it’s anticipated that privacy advocates will challenge the decision in court.
US federal government considers support for cyber insurance industry.
Last week the US Department of the Treasury’s Federal Insurance Office (FIO) released its Annual Report on the Insurance Industry as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act. As the Treasury explains, the report details the American insurance industry’s financial performance and condition in 2021, and provides projections for 2022. “The Federal Insurance Office’s annual report is an important analysis of the US insurance markets and related issues that may impact financial stability,” US Assistant Secretary for the Treasury for Financial Institutions Graham Steele said.
As we noted last week, the FIO also recently issued a request for public comment on a potential federal insurance response for catastrophic cyber incidents, a project currently being considered by the Cybersecurity and Infrastructure Security Agency upon recommendation from the Government Accountability Office. As cyberattacks have increased in frequency, private insurance firms have increased premiums and, in some cases, denied coverage for companies recovering from such attacks. “I think what you’re seeing is the government sort of thinking about this from their side if they should be doing more to help companies that are hit and, if so, how should they define what the thresholds are,” Josephine Wolff, an associate professor of cybersecurity policy at the Tufts University Fletcher School told the Hill. “They’re clearly evaluating that and trying to think carefully about it right now.”
International spyware abuse inquiries.
A European Parliament committee is in the midst of investigating the prevalence of Pegasus spyware and other surveillance software in the EU, but with members spanning bloc member states, politics leanings appear to be complicating the inquiry. Lawmakers supporting the independence of Spain's Catalonia region were allegedly targeted with spyware, and when they testified on Thursday about their experiences, things got heated as some Spanish members of the committee criticized the Catalan independence movement. The committee’s membership also includes members of Hungarian and Polish ruling parties, which have been accused of spying on their citizens. Jeroen Lenaers, chair of the committee, told the Washington Post, “It was always going to be a very difficult committee to work as a team. But I personally feel that, especially lately, the politics have really taken too much center stage.” He added that, in order to be successful, the committee will need to “work as European members of Parliament and leave the national discussions to the national parliaments.”
Meanwhile, a cyberattack led by the Guacamaya hacking group on Mexico’s Ministry of National Defense led to the publication of thousands of classified documents, and the data allegedly inicates that the Mexican military has been spying on journalists and activists (as well as covering up of sexual abuse scandals). As Aztec Reports notes, Mexican President Andrés Manuel López Obrador claims no such surveillance has been conducted under his administration, but the leaked documents show that the Mexican military purchased Pegasus spyware in April 2019. With this new evidence, a group of journalists and activists filed a complaint with Mexico’s Attorney General’s Office on Tuesday.
In Greece, investigative journalist Thanasis Koukakis has filed a lawsuit against digital spyware firm Intellexa, demanding a criminal investigation into the company. Koukakis alleges that the firm violated both EU and Greek laws when they allegedly sold their Predator spyware to Greece’s National Intelligence Service. The Greek government has confessed that it spied on Koukakis and other journalists, but has not admitted that it had a contract with Intellexa. Koukakis told Haaretz, “Given that the Mitsotakis administration has not yet moved in any way to limit or prohibit the use of Predator in my country, I filed a lawsuit against Intellexa and its shareholders asking from the Greek justice to take action and investigate all crimes that have been committed.”