When the ECJ invalidated Safe Harbour last October, it disrupted cross-Atlantic data transfers for the thousands of businesses that had relied on the EU-US agreement to self-certify security assurance. To fill the void, Brussels and DC in February hammered out Privacy Shield, which alongside the Judicial Redress Act, gives EU citizens the right to sue a US company if they believe their personal information has been insecurely handled. The accord also limits US intelligence agencies’ data surveillance of European citizens.
Though the European Commission brokered this new accord, various Data Protection Authorities (DPAs) on April 13 raised strenuous objections to the agreement.
Working Group 29 (WG29) had six objections to the agreement
- Lack of data protection laws (such as purpose limitation and data retention)
- Lack of centralisation of reference material
- Lack of same privacy assurances for onward transfers from third-party recipients who receive EU personal data from a Privacy Shield entity
- Fear that the redress process might be too complex for non-English speaking Europeans
- Continued distrust of US intelligence surveillance
- While the group welcomed the creation of an ombudsperson to solve complaints raised by EU citizens, it worried that the role was not independent enough from US authorities
A bumpy road ahead for Privacy Shield
Given the breadth of WG29’s complaints, Privacy Shield negotiations will be messy for a long time with bumps and detours along the road. To navigate, businesses must diligently stay on top of requirements as they change. While it’s anyone’s guess what the fine print of the new accord will look like, existing privacy requirements from the EU GDPR and sector-specific mandates, like HIPAA and PCI, offer a good collection of technical requirements for protecting personal data. Companies that want to build a proactive security strategy can look to technical recommendations from existing privacy laws as standards for bolstering defences.
Because of the distributed nature of cloud computing, data privacy technologies will centre on security controls, including encryption and tokenisation, to scramble and mask personal data in transit and at rest. These technologies are a practical way for organisations to provide sound privacy assurances in the interim absence of a final agreement and even after the legal language is completed. The later point is important because the Court of Justice’s Safe Harbour ruling gave each DPA independent oversight to determine the adequacy of privacy protections by data controllers and processors. This means that even after a final privacy pact, US companies may still be subject to ongoing scrutiny by 28 DPAs.
What should organisations be doing?
Even with Privacy Shield in place, the DPAs’ power to challenge a firm’s privacy assurances creates a fragmented policy landscape for multi-nationals. While the legal agreement continues to evolve, technology tools provide some answers based on existing security best practices:
Identify the risks
This means doing the analysis to identify cross border-data transfer flows. Assess the scale of the flows and the sensitivity of information that’s moving across borders. This must include the flow of data with your customers, between your employees, and to your vendors (and their sub-contractors). Realise that data flows may not be immediately obvious. Even if data doesn’t flow as part of an operational business process, it may be accessed by administrators in another location as part of system maintenance or support activities.
Secure cloud usage
At most companies, cloud usage presents a significant risk to data protection. Companies must do due diligence to identify sanctioned and unsanctioned cloud usage where significant leaks of sensitive data can occur. Implementing shadow IT reporting of cloud usage and setting controls for data sharing and data loss prevention should be among the first technical measures companies adopt.
Review critical cloud applications in detail
Perform full analysis of your enterprise-wide cloud applications for CRM, collaboration and IT service management. This requires reviewing all use cases for each application and the specific fields in it that need protection. Consider the full scope of security around the application – not just EU privacy concerns – to create comprehensive security playbooks for your critical enterprise functions.
Limit or mask sensitive data flows
Legacy operational procedures may not be properly aligned with the new privacy regulations. If there’s no compelling business need for the data transfer, review whether processes can be modified to render sensitive data indecipherable or limit the scope of the data transfer.
These security practices offer organisations technical assurances for protecting data in cross-Atlantic transfers and in other situations involving sharing sensitive information beyond the enterprise walls. Knowing what information sits in which cloud and setting policies for secure cloud usage enables companies to proactively safeguard data from security, privacy and residency risks.
Ultimately, responsibility and liability for data protection rests with the cloud customer. As a result, it is incumbent for the enterprise to build a plan to address security gaps. On the legal side, filling in the gaps can take the form of model contract clauses or binding corporate rules that cloud providers have been supplying since Safe Harbour’s suspension. But there are no guarantees that the DPAs will approve these legal assurances. For this reason, turning to accepted security best practices is the most proactive strategy a cloud customer can take to prepare for Privacy Shield and the updated GDPR.
Lise Feng, Director of Corporate Communications, CipherCloud
Image Credit: deepadesigns / Shutterstock