How Organizations Can Manage the Confusion After US Privacy Shield Fails
In a final look at the consequences of the decision by Europe to strike down the US Privacy Shield, it has become clear that many companies in the U.S. are already moving forward and looking at other ways to transfer and use data from Europe in a way that is secure and private within the confines of the regulations still in place.
The EU ruling affected thousands of companies that need to share data with American counterparts. The U.S. will also have to undertake serious reform before its privacy regulations meet EU standards. In the meantime, firms will have to switch to standard contractual clauses (SCCs) to transfer data, as the ECJ has ruled they are still valid.
The State of Data Transfers Now
Make no mistake, though, the road to a new agreement is going to be tough. Caitlin Fennessy, the International Association of Privacy Professionals (IAPP) research director and former Privacy Shield director at the U.S. International Trade Administration, pointed out that for the moment at least, these data transfers must be on a case-by-case basis.
“The EU data protection authorities have made clear that companies can still use standard contractual clauses for data transfers, but must conduct case-by-case assessments of the sufficiency of foreign protections and put in place additional safeguards where necessary,” she said.
This will require companies around the world to conduct complex analyses of the laws of countries as diverse as the U.S., China, India and Brazil. While EU authorities have not endorsed any safeguards to remedy government access concerns, privacy practitioners are suggesting technical, policy and contractual controls ranging from encryption to commitments to share data with government authorities only when legally required.
The Role Of SCCs
While the Court of Justice of the European Union (CJEU) judgment provides clarity on the fact that the EU-U.S. Privacy Shield cannot be used as a safeguard for international data transfer, it also raises questions about reliance on SCCs, said Sergio Rotman, certified compliance officer, at New York City-based Collibra.
SCCs are contractual terms and conditions which the sender and the receiver of personal data agree to, aimed at protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with the GDPR’s requirements in territories not considered to offer adequate protection.
While the SCCs are workable now, it is likely they will require further review. Global organizations faced with the challenges of doing business in the EU and beyond can use technology partners to manage the complexities of data and achieve compliance through the changing regulatory landscape. Among the issues organizations in the U.S. need to address are:
- Personal information: Personal information discovery and classification to uncover personal data and apply relevant labels to other sensitive data.
- Data mapping: Improved visibility into the location of data and how it flows throughout the data ecosystem. This view will allow organizations to document business context, data use purpose and third parties affected by the CJEU ruling.
- Regulatory and management: Reporting to assess compliance readiness and track the organization's progress as it adapts its data residency and data sharing practices.
“Companies should look closely at how their technology partners are able to support them,” Rotman said.
Related Article: Are You Ready for the End of Privacy Shield?
Data Transfers in International Workplaces
Chicago-based project44 is an advanced visibility platform for shippers and third-party logistics firms which, because of the nature of the services provides, has had to facilitate and support efforts to make the sharing of information safe and stringent for all parties.
With the invalidation of the Privacy Shield arrangement, project44 along with thousands of other corporations are looking to regulators and advisory bodies - the European Commission, European Data Protection Board and national data protection agencies in particular - for continued guidance on how to facilitate and support international transfers in the future, said Daniel Ramsgaard, senior legal counsel at project44. The Privacy Shield was one of multiple options for enabling international transfers of personally identifiable information.
“As a matter of diligence and to provide our customers and data subjects with strong measures to support the fundamental rights on privacy, our approach is to underpin any transfers with multiple mechanisms to ensure the highest level of safeguarding available,” he said.
Ramsgaard emphasized that while recent rulings put stress on the ecosystem of international transfers of personal identifiable information, they also present an opportunity to clarify and streamline options for such transfers in the future. Several of the current mechanisms available predate current regulation by several years.
There is also a financial consideration. For more than a decade, the cybersecurity world has made massive investments at the network level and in encrypting data. With this one ruling, all that changes for most companies, said Rick Farnell, CEO of Stamford, Conn.-based Protegrity. It is now imperative for companies to invest in data-level protection at the finest granularity possible and ensure that security follows the data no matter where it goes.
”I am seeing more enterprises across industries investing in fine-grained data security, and I recommend executives move to adopt and implement best practices to discover, classify, protect, enforce and monitor their data-security frameworks,” he said.
Related Article: 5 Organizations Share How They Protect Consumer Data
Understanding The Cost Of Non-Compliance
It should be remembered that the current regulation guiding regulators in Europe now is the GDPR, which also contains sanctions for data breaches and the abuse, carelessly or otherwise, of personal data.
Just this week, IBM released its annual Cost of a Data Breach Report which says that the average data breach now costs $3.86 million. The annual study is based on in-depth interviews with more than 3,200 security professionals at more than 500 global firms that experienced data breaches over the past year.
If some companies feel they can carry that kind of cost, the report also pointed out that breaches that exposed more than 50 million records cost an average of $392 million, up from $388 million during the previous year.
While the U.S. still had the highest data breach costs in the world, at $8.64 million on average, Scandinavia experienced the biggest year-over-year increase, rising 13%.
More to the point, lawmakers and institutions are not the only ones holding businesses accountable when it comes to data privacy. Companies must also answer to their customers.
As data becomes the linchpin of business success, consumers are growing increasingly wary of how their personal information is being used and are more likely to turn to the law if they feel their private data is being abused.