EU / US Privacy Shield Affects Your Organisation

Uploaded on 2017-05-02 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

When you're choosing a cloud provider or a partner to work with, where you physically store your data probably isn't one of the first things that you think about. However, it should be, as exporting data to foreign countries can result in severe penalties and could see you in breach of EU law.

One big issue is the EU-US Privacy Shield, which came into effect on 12 July 2016. It governs data transfer of personally identifiable information (PII) between Europe and America. Under this directive, US companies have to be certified, guaranteeing that European data is adequately protected, processed and shielded from mass US surveillance. 
If you have any data storage or processing taking place on US servers, you need to ensure that the companies you're working with have the right certification.

Changing Tides

Of course, legislation can change, and you may suddenly find that a service is no longer compliant. The US, for example, may introduce new laws or executive orders that directly overrule the safeguards put in place for processing EU data. 
At the same time, if the EU rules that the Privacy Shield is no longer valid, data stored and processed on US servers would suddenly fall foul of European law again.

Even after Britain leaves the EU, any company processing European data will need to maintain levels of compliance.

The original agreement between the EU and the US, Safe Harbour, is a case in point; although it was initially implemented in 2000, Edward Snowden’s revelations about the US National Security Agency and its monitoring methods raised strong concerns that EU data was no longer safe from snooping in the US. So in 2015, the European Court of Justice ruled that the agreement was invalid. That said, it’s important to note that Brexit won’t change the situation. Even after Britain leaves the EU, any company processing European data will need to maintain the same levels of compliance. If you store or process data outside of the EU and US, then you still need the required level of protection. This makes physical location something that needs careful consideration to ensure that you maintain compliance with local and EU rules.

Stronger barriers

So even with full compliance, storing your data in a different country can add complication to your business. For a start, you have the added problem that your data is subject to foreign law enforcement agencies and laws. This may mean that you have to deal with legal challenges and law enforcement agencies that you find it difficult to communicate with.
Although we live in a world where data transfer is easier, location is increasingly important.

Data transfers are going to get even harder when the General Data Protection Regulation (GDPR) becomes law on 25 May 2018. Part of the new regulation is a restriction on how and when data can be moved outside the EU. According to the official guidelines from the Information Commissioner's Office (ICO): "Personal data may only be transferred outside of the EU in compliance with the conditions for transfer."

GDPR covers both the temporary transfer of data and long-term storage, through a cloud provider for example. From the terms of GDPR, it's clear that the EU intends to review agreements regularly, which may mean that what was legal one year is no longer legal in another year.

With GDPR allowing for bigger fines for companies in breach of the regulations, up to €20m or 4pc of worldwide turnover, whichever is greater, businesses simply cannot ignore where their data is stored, and must verify that all storage locations are compliant. 

Although we live in a world where data transfer is easier from a technical standpoint, location is increasingly important from a legal perspective. No matter who you do business with, you need to know where your data is physically stored, and that such storage and processing is compliant with current laws.

Privacy Shield:           Telegraph:

You Might Also Read:

Cyber Attacks On Banks Prompt New Regulatory Safeguards:

US and EU Implement Privacy Shield:

Eight Reasons Why US CEOs Care About New EU Privacy Laws:

What Does Brexit Mean For British Data Privacy?:

Tesco Could Have Been Facing £2bn Fine After The Bank Hack:


 

« Teenagers And Cybercrime
Snowden Can Stay In Russia For As Long As He Likes »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

HANDD Business Solutions

HANDD Business Solutions

HANDD are independent specialists in data protection with expertise at every stage of the Protect, Detect and Respond cycle, from consultancy and design, right through to installation.

Onapsis

Onapsis

Onapsis is a pioneer in cybersecurity and compliance solutions for cloud and on-premise ERP and business-critical applications.

CLUSIF

CLUSIF

Clusif is the reference association for digital security in France. Its mission is to promote the exchange of ideas and feedback through working groups, conferences and publications.

Garrison Technology

Garrison Technology

Garrison SAVI® is a unique technology for secure remote browsing that can dramatically change the risk profile for enterprise cyber security.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

DataEndure

DataEndure

DataEndure helps companies build digital resilience so that their critical information assets are protected and available to the right people, at the right time.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

Splashtop

Splashtop

Splashtop’s cloud-based, secure, and easily managed remote access solution is increasingly replacing legacy approaches such as virtual private networks.

Sentryc

Sentryc

Sentryc provides automated monitoring of brands on online marketplaces and social media making online brand protection processes faster, more clearly structured and more efficient.

Ironblocks

Ironblocks

Ironblocks is a pioneering cybersecurity firm that specializes in delivering comprehensive, end-to-end security solutions for the rapidly evolving Web3 ecosystem.

Versent

Versent

Versent is an Australian-born technology company, focused on architecting, building & operating cloud native applications, data streams, platforms, and services.

modePUSH

modePUSH

modePUSH is a cybersecurity company focused on end-to-end breach response from Digital Forensics to Restoration across the enterprise and cloud environments.

CSIRT-Gnd

CSIRT-Gnd

CSIRT-Gnd provides 24x7 Computer Security Incident Response Services to citizens, companies and government agencies in Grenada.