In October, the European Court of Justice (ECJ) ruled that the EU-US Safe Harbour clause, a simple way for companies to transfer data between the EU and the US, was invalid. The 15-year pact was scrapped as a direct result of the audacious legal challenge brought about by 28-year old Austrian law student, Max Schrems.
Schrems was able to take on seemingly impregnable tech companies and score a victory for user rights has earned him plaudits from many, notably Edward Snowden, who sparked the transatlantic friction in the first place with his revelations about the US security service’s online surveillance of the EU. The timing of the ECJ ruling came as something of a surprise, but its actual decision fits a recent pattern of EU tightening of data privacy rules.
US privacy laws are more lax than those of the EU. Until the ruling, Safe Harbour was a framework for a compromise solution between U.S. and E.U. privacy procedures. In place since 2000, Safe Harbour allowed U.S.-based companies to transfer the data of European citizens overseas to the U.S. as long as the company met EU privacy standards. Companies wishing to move data had to sign up to seven principles on how the data would be handled, but the ECJ’s ruling sends a strong message that user privacy rights need to be enshrined by law, not left to little more than self-certification. Since the Safe Harbour declaration, businesses on both sides of the Atlantic have had to review the way they collect, store, process and move personal data relating to EU citizens.
How will businesses be affected?
Businesses that rely on the free transfer of data been the EU and US will find themselves in a tough spot. Much analysis has focused on what the ruling means for US social media and other internet companies, but also affected will be US cloud file share sites, like Dropbox (and their customers who use their services to store EU citizens’ personal data), cloud service providers, global retailers with buyers in the EU and any US business that manage personal data of EU citizens.
Now the scramble begins for CISOs in global companies to find ways to comply with the new ruling. It goes without saying that user privacy is extremely important and should be a fundamental right, but this ruling affects more than Facebook and Google, who will have anticipated and already addressed this issue within their organisations. It most likely will change how companies need to handle data flows between the two continents. About half the world’s data is exchanged between Europe and the US, and rejecting Safe Harbour means drastic changes for small and medium business alike.
Although we do not yet know what exactly will replace Safe Harbour, we know that day-to-day business will be impacted. It’s going to be harder to provide services and data between the EU and US.
All this concern around data privacy regulations sounds familiar. What other rules exist?
Safe Harbour was found not to meet the requirements of the Data Protection Directive. The EU appears increasingly to pit itself against the US approach to data privacy. The Safe Harbour ruling, once seen in the context of other decisions (such as the right to be forgotten), is a clear signal that ‘prosper now, privacy later’ won’t work in the EU.
Whilst the EU’s general approach to proposed data protection plans (General Data Protection Regulation) has been agreed, the actual regulation is still in consultation and so there could be the flexibility to include clear guidance to these firms. However, it would be fair to assume that this could impact that target adoption date which is currently the end of the year.
How are businesses preparing for the legislation?
A recent survey by Ipswitch revealed that businesses are gearing up to the changes ahead, but slowly. Although the GDPR has been in consultation for nearly four years, the poll from September 2015 revealed one in five UK businesses still had no idea whether the changes will apply to them, despite confirming they do store and process personal data while 69% of companies believe they’ll need to invest in technologies in order to help them process and store the data according to the new standards.
So what can businesses do now to get up to speed?
Organisations should not underestimate the burden this kind of legislation can represent. Depending on a business’s exiting data transfer practices, the Safe Harbour decision could require deep-rooted changes and involve many departments within the organisation. Here are five steps to help IT departments plan for privacy compliance.
Clear lines of accountability
Given the growing demands on companies to maintain data privacy, appointing a data protection officer can be a very good first step. Many companies already do so and it is likely that upcoming GDPR regulations will insist on many more companies following suit. Gartner analyst Carsten Casper notes for many companies, “it makes sense to have a privacy officer, regardless of the law”.
The compliance process will require C-level buy-in, inter-departmental collaboration, resourcing, budget sign-off and technological investment. However companies approach it, they will need to be clear about who within the organisation is responsible for the project.
Audit your current practices
Although businesses will have some time before they need to achieve compliance, they should start working immediately to audit their data sharing practices, including use of US cloud sharing services like Dropbox, so that they understand exactly where they stand and are ready to act when further guidance is issued. An audit should also consider who in the organisation will be affected by the changes and what support is required.
It makes good business sense to plan beyond the current compliance challenge. Question what processes, policies or technologies can be put in place now to serve you into future projects. The mark of a mature, agile organisation is one whose solutions meet today’s needs but have enough flex built in to accommodate future change.
Where are you most vulnerable?
Moving data securely and reliably to support critical business process has come under the spotlight with the scrapping of Safe Harbour. It’s never been more important to be sure of your file transfer policies. In the absence of new guidance to replace the Safe Harbour system, let’s assume whatever comes next will be more rigorous and require an evidence trail.
In a world where the digital economy is increasingly becoming the norm, it makes good business sense to be better connected with partners, contractors or customers. Managing the transfer and storage of all files between customers, employees, partners, business systems etc can be daunting. One technology that can help is managed file transfer, making data accessible and giving the IT department complete control and visibility.
Spread the word
It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file-transfer technologies, security systems, processes, a full audit trail and, perhaps most importantly, staff training.
You can have all the technology in the world in place, but if your employees don’t know what’s required of them, you will fail. Getting your people ready for the new data protection requirements is just as important as getting your technology ready.
Set for Action
The national data protection authorities in the EU’s nation states have been hurrying to review, digest and provide guidance on how companies should proceed day-to-day. The use of model clauses in contracts has been a hotly debated issue amongst national authorities, with some experts advocating their use as a ‘band aid’ in the absence of further guidance, while others, such as the German watchdog, has argued that these are no substitute for Safe Harbour. Here, the authority is the Information Commissioner’s Office. Its advice is more measured, favouring an urgent review of procedures, rather than the dismantling of existing data transfer methods. Specifically on the subject of file-hosting companies like Dropbox, the ICO has clarified that organisations may continue to use them as before for now. The emphasis is on planning for the future so compliance can swiftly be achieved when the time comes.
If this all sounds at best inconvenient, at worst, a time-consuming hoop through which companies will have to jump, then it’s worth remembering the implications of the Safe Harbour ruling for all of us, as citizens. It’s a big win for personal privacy. It may also prove a big win for business. To paraphrase a principle of physics, innovation abhors a vacuum. It is my belief that the vacuum created by Safe Harbour will yet prove to be an opportunity for improvement as organisations seek better solutions offering greater accountability to the challenges of the digital economy.
By David Juitt, Chief Security Architect, Ipswitch