Data sharing is a core aspect of business today, so much so that we’ve begun to take for granted that any information we need will be instantly available to us or our systems. We share data every time we work online with co-workers, customers, business partners, and suppliers. There are myriad services that allow us to share information and collaborate from anywhere, any time, and on any platform. Most of us don’t give much thought to the security and privacy implications of this global data sharing.
But that’s OK, because neither did the United States government. At least not until recently. The U.S. lacks the broad federal privacy laws that are typically found in other developed countries, particularly member states of the European Union where personal data is protected quite closely by EU Directive 95/46/EC. American companies were allowed to use the US-EU Safe Harbor Pact to claim that they complied with EU privacy regulations. It’s important to understand that the EU was thrown into a tizzy when Edward Snowden revealed that the NSA was widely spying on the personal data of the world’s citizens. Last year, I wrote a paper that argued that there would be long-lasting and far-reaching economic impact of NSA spying with respect to EU data privacy laws.
No More Safe Harbor
The October 6, 2015 ruling by the Court of Justice of the European Union declared that the US-EU Safe Harbor Pact was invalid. In essence, the court has stated that because the US lacks a sufficient legal framework to protect the personal data of European citizens, it is now illegal for US companies to possess such data. How sad is it that the US government is so anti-privacy that other countries pass laws saying their citizens’ data can’t be housed here?
The Court’s decision was based on a case brought by Austrian citizen Max Schrems that involved data transfers by Facebook from Ireland to the USA. Under the recent ruling, transfers to US-based business under Safe Harbor are no longer valid. This means that without alternative legal solutions in place, any business that sends data to the USA risks fines or orders to suspend data transfers. There are over 4,000 businesses who do this today.
What Should Your Business Do?
If you work at an American company that captures and retains personal data about EU citizens, then you’re going to have to act fast or you’ll face fines and potential censure. There are options such as model clauses and binding corporate rules that can help. A model clause, or model contract, guarantee that data transfers take place under adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals. Binding Corporate Rules (BCR) are internal rules, like a code of conduct, used to multinational companies that ensure compliance with the data protection policies that are required under EU Directive 95/46/CE. The drawback to BCR is that they require a lengthy approval process from European regulators.
It’s important to understand that EU law is not like US law in that a business can’t simply pass the liability on to the third party data storage or transfer agent. Companies must reach an understanding with their vendors and partners or develop sufficient internal controls regarding how they will ensure that data transfers are fully compliant with EU law. Otherwise they run the risk of serious business disruption. Disrupting the flow of data in today’s interconnected world could be devastating.
Perhaps the most important thing that you can do is to reach out to your duly elected representative and make it known that the US’s lax data privacy laws are hurting your business. I suspect that the EU ruling is but the tip of the iceberg and more civilized countries will follow suit. Until the larger issue of our government’s weak stance on personal privacy is tackled, your international business is going to require a lot of international lawyers.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter. Follow his adventures with Elvis the information security French bulldog on Instagram.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.