Introduction and the privacy shield
After a long wait while bureaucrats worked out the details of new EU data protection law, the European General Data Protection Regulation (GDPR) is here – or at least, it will be in two years. In the wake of Safe Harbour and Privacy Shield, the latest data sharing agreement between the EU and the United States, the GDPR affects all businesses processing personal data, but how?
What is the GDPR?
The GDPR is the European Commission's latest attempt to strengthen data protection for EU citizens, including the export of their data outside of the EU.
"The approval of the General Data Protection Regulation is by far the largest shake-up of data protection rules so far this century," says Michael Hack, SVP of EMEA operations at Ipswitch, whose survey of 300 European IT professionals revealed that nearly 70% said they'd need to invest in new technologies or services to help prepare the business for the impact of the GDPR.
The GDPR includes more than 50 Articles, and must be implemented by each of the 28 EU member states by 2018.
Why did it take so long to agree?
"When you're dealing with fundamental human rights, it's probably worth taking a bit of time to make sure you've got the right protections in place," says Tamzin Evershed, Legal Director at Veritas, who insists that the global data processing arena is a new and complex place. It's all about balancing the need for governments to protect against terrorists with privacy.
"It's like herding cats – there are a lot of EU nations all of whom want to have their say, and to complicate things, it also has to have the USA agree," says Guy Bunker, a Senior Vice President at Cybersecurity specialist Clearswift. It's no easy deal.
What was wrong with Safe Harbour?
After the mass surveillance of EU citizens by the NSA's PRISM came to light in 2014, German law student Max Schrems argued that his Facebook data was not safe in the US, and the European Court of Justice agreed.
"In practice, US companies were seen to not take the regulations seriously and were simply using it as a 'tick box' exercise in order to do business with the EU," says Janine Regan, Associate at Charles Russell Speechlys. Truth is, it was 15 years old, horribly outdated, and wasn't audited.
"Safe Harbour was created in a different era – pre-9/11, pre-cloud and pre-Snowden – and wasn't intended for the massive volumes of cross-border data traffic we see today," says Willy Leichter, global director of CipherCloud.
"European citizens had no recourse to the US court system if a US-based service lost their data and data could be intercepted by US authorities," says Nigel Hawthorn, Chief European spokesperson at Skyhigh Networks. It was only a matter of time before the European court decided that Safe Harbour was not fit for purpose.
However, the core of this issue is that attitudes to data privacy in the US and EU are at polar opposites. "EU attitudes towards data privacy which favour the rights of the individual are at loggerheads with those of the US under the US Patriot Act which favours the rights of the state," says Penny Jones, senior analyst for European services at 451 Research.
What is the Privacy Shield?
A stop-gap between the demise of Safe Harbour and the incoming GDPR in 2018, the EU's hastily agreed Privacy Shield is what we have for the next two years. "The two-year review is intended to analyse how the Privacy Shield complies with the new General Data Protection Regulation, which will be implemented in all Member States by then," explains Ann Bevitt, privacy and data security Partner at law firm Cooley.
However, the Privacy Shield is seen – from a European perspective – as weak, and unable to prevent NSA surveillance of EU citizens. "The Privacy Shield is taking so long to agree due to the vast legal differences between the EU and US, especially when it comes to the handling of personal data," says Gunter Ollmann, CSO, Vectra Networks.
"Broadly speaking we have agreement on the commercial use of data, the ideas of informed consent and security, but the US government is having a hard time fettering its surveillance activities in the name of national security," says Ross Woodham, Director Legal Affairs and Privacy, Cogeco Peer 1. Cue the Freedom Act, which was implemented in November, and didn't help matters with the EU.
"It only applied modest restrictions to data collection, and these restrictions are fairly meaningless in the context of some of the other powers of the US surveillance program," says Woodham.
Model contracts and punishments
What should US-based firms do while they wait for GDPR?
Keep their noses clean. "Safe Harbour was only one of the options available to exporters and importers of personal data to the US," says Evershed. "Consent is one way of transferring personal data outside the European Economic Area, but the other, possible more practical way is to use EU Model Clause agreements – they're a standard form agreement that can't be negotiated."
However, adjustments will be needed – not least because of 'dark data'; 52% of the information organisations are storing and hoarding is unknown even to them, according to Veritas. All the lawyers techradar pro talked to agreed that the Model Clause agreement was the way to go.
"Until the Commission takes its final decision on the Privacy Shield, binding corporate rules and model clauses are still valid means of transferring data to the US," says Nicola Fulford, Head of Data Protection & Privacy at Kemp Little. "It also confirmed that transferring personal data to the US under the invalidated Safe Harbour decision is illegal."
Model contracts
"Many businesses have implemented alternative methods of data protection compliance, including the use of model contracts," says Ashley Winton, Partner and UK head of data protection and privacy at international law firm Paul Hastings LLP, and Chairman of the UK Data Protection Forum. He doubts there is much appeal in adopting the Privacy Shield, since it will increase their potential liability.
Others think a more physical approach to cloud computing is sensible. "In terms of their legal and regulatory obligations, these companies should host EU citizens' data exclusively within the EU borders and suspend transfer of data to the US," says James Henry, UK Southern Region Manager, Auriga Consulting. Cue the hybrid cloud.
Country-by-country
While the GDPR itself is unlikely to be a uniform, cross-EU law, the Privacy Shield certainly is not. "Many companies today are assessing their requirements on a country-by-country basis, with EU member states expected to layer their own rules on data protection on top," says Jones. This could mean different data regulations in each EU member state.
In any case, data protection and privacy laws are incredibly fluid, so no-one should get complacent. "Companies will need to be prepared to revisit this issue on a regular basis."
Europe may one day have blanket law on data protection, but even with the GDPR, it's likely to be implemented differently in each region. For now, Germany, France and Switzerland have the most stringent rules on data sovereignty.
"If a US-based company needs to transfer data from Germany to the US," says Toby Duthie, Partner at Forensic Risk Alliance, "it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT)."
It's complex stuff, and what's more, the situation elsewhere in the EU is completely different. "In France, US companies will have to consider 'blocking statutes', and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws, before transferring data out of the country," adds Duthie. The UK's Data Protection Act and Italy's Data Protection Code also make data transfers difficult.
Crimes and punishments
"The German Data Protection Authority has already taken legal action against three companies still relying on Safe Harbour, and we expect more to follow," says Nicky Stewart, Commercial Director at Skyscape Cloud Services, who points out that Google, Facebook and Fitbit are all still relying on Safe Harbour regulations.
It's thought that the EU Council are making plans to allow fines to be imposed of up to €1 million (around £800,000, or $1.15 million), or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100 million (around £80 million, or $115 million), or 5% of global turnover. "Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines," says Duthie.
That will make compliance with EU data protection law much more compelling for companies such as Google and Facebook, thinks Stewart, who expects that the European Commission's plans to regulate 'platform providers' will be "comprehensive and wide-ranging".
Not that size matters. "The size of the organisation doesn't help it escape compliance," says Leichter, "although smaller companies are less of a regulatory target and risk smaller, but still substantial fines."
Small companies that trade internationally from the UK can get excellent guidance and advice from the 'pragmatic' Information Commissioner's website.
What happens next?
It's now up to politicians in EU member states to discuss the GDPR, and legislate. However, the ultimate arbiters of what happens next – and how the GDPR shapes up – won't be companies, the US Department of Commerce, or the European Commission, but national regulators and the judges of the European Court of Justice.
Since the EU has the most progressive laws on data protection globally, it is they who are the gatekeepers not only of EU citizens, but, in a globalised market, the entire globe's personal data. "Internet communication has made the whole discussion on data privacy a global interest," says Lillian Pang, Senior Director, Legal, Rackspace. "But many countries will continue to observe what the EU does."
No comments:
Post a Comment