Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

EU – US Privacy Shield - Restoring trust in transatlantic data flows?

SimonLeech

In a data-driven society, it’s easy to grasp the value of being able to freely and legally transfer data concerning customers and employees across international borders. Indeed for many organizations, whether the size of Google or Facebook, or smaller niche players, the ability to transfer data unhindered is critical to their ongoing corporate success.

That’s why back in October 2015, when the European Court of Justice (CJEU) declared the Safe Harbor agreement invalid, organizations relying on the 15 year old framework to transfer data across the Atlantic were left in limbo. Earlier revelations made by Edward Snowden had uncovered the US Government PRISM clandestine surveillance program, and suggested the government had the ability to access European citizen data held on servers within global technology companies, including Google, Facebook, and Apple. It was these concerns that had led Austrian citizen Max Schrems to take Facebook to court over the level of privacy protection given to the personal data that Facebook stored. A lengthy legal battle ensued, leaving businesses that relied on the Safe Harbor ruling to transfer data on EU citizens to the US effectively operating illegally.

Privacy Shield.JPG

Fast forward nine months, and the 28 member states of the EU, together with the US policy makers, have finally agreed upon an updated data transfer agreement, known as the EU-US Privacy Shield, to replace Safe Harbor. The main elements of the new agreement are stronger obligations on companies and more robust enforcement, multiple redress possibilities for individuals with disputes, clear safeguards and transparency obligations on how the US Government may access information, and an annual joint review mechanism.

Whilst this is certainly an improvement on the old framework, Max Schrems is already questioning the validity of Privacy Shield, claiming in a press release published on July 12th (and well worth spending a few minutes reading) that ‘it is very likely to fail again, as soon as it reaches the CJEU’, and that the deal ‘is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution.’

Only time will tell how well this agreement will be accepted by privacy watchdogs, consumers, and the Data Protection Authorities in each of the 28 member states. Four countries – Austria, Slovenia, Croatia, and Bulgaria – abstained from the voting procedure, with the other members all voting in favor of Privacy Shield, so it looks like it is off to a good start, but it will certainly be interesting to see whether opinions have changed by the time the first annual review comes up.  The annual review procedure itself has raised concerns already – whilst it’s definitely positive that a review can allow for the introduction of needed changes to the agreement, it also makes it harder for data protection officers who need to implement these changes.

With Privacy Shield coming into force before the new General Data Protection Regulations (GDPR, scheduled for introduction in May 2018), it will be interesting to see how these two regulations cooperate with one another. Due to the later introduction of GDPR, organizations wishing to exchange data today will need to continue to rely upon binding corporate rules, and standard contractual clauses, and may well find themselves complying with stricter compliance in these contracts versus the often looser regulations in Privacy Shield.

From a technology perspective there are of course always proactive steps that can be taken to help organizations to protect the citizen data stored in public and private clouds – information management tools such as HPE Verity, a data-centric approach to security using technologies such as Format Preserving Encryption and Secure Stateless Tokenization from HPE Security – Data Security, and continuous monitoring with HPE ArcSight to name just a few (slightly biased!) examples of technologies that will help as part of a structured approach to hybrid cloud security.

I would encourage all organizations that feel they will need to be compliant to the Privacy Shield regulations to look carefully at the guidelines, under the appropriate legal supervision, but also to take a look at how a well thought out security program can also provide a number of compensatory controls to protect data above and beyond the prescribed legal requirements.

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all