In Europe, privacy regulators and courts are examining the transfer of personal information to the United States. Certain types of data flows have been suspended due to data privacy and security concerns. Could the EU’s data security policy changes affect your organization?
Last week, after determining that a contract with a US-based service provider didn’t offer adequate privacy safeguards, Portugal ceased information flows to the US company. The information included private citizens’ census data. Across Europe, regulators are investigating similar data transfer challenges and in some cases, aim to freeze the delivery of personal data to non-EU nations.
Data security policies
In July, a court ruling required additional privacy protections for data moved outside of the EU. Yet, out of convenience or the need for specific types of services, some organizations continue to transfer data in a way that circumvents official requirements. “It’s obvious [that] not everyone is undertaking the level of assessment that’s required,” says Eduardo Ustaran, co-head of a law firm dedicated to privacy and cyber security practice.
In November, new guidelines outlined further privacy safeguards for information transferred outside of the EU bloc. Businesses may need to show compliance with strict encryption practices if they wish to conduct external data transfers. The latest draft guidelines imply that “transfers of data to third-party countries is [and will be] severely curbed,” says security researcher and consultant Lukasz Olejnik.
Big data security
Why has Europe clamped down on data sharing? European courts have ruled that US government surveillance represents a threat to EU citizens’ data privacy. At any time, US companies may be forced to hand over information about customers to the federal government. In the event of data mishandling or misuse, European regulators feel as though there are not enough options for redress in America’s legal system.
In February, French Uber drivers filed a class-action lawsuit against Uber Technologies, requesting for the company cease its practice of sending drivers’ personal information to the United States.
“This data can be used by any U.S. authority without any control,” stated lawyer Jerome Giusti.
Uber’s response? “We do not share our users’ personal data for commercial purposes without an appropriate legal basis, or sufficiently aggregated not allowing identification of our users.”
Trans-Atlantic data transfers
Privacy advocates anticipate further scrutiny of trans-Atlantic data. In Hamburg, audit organizations have demanded information concerning safeguards around data that leaves the EU. As a result, organizations needed to adjust data-transfer methods and to re-think international exchanges.
Some organizations that have previously relied on US-based online platforms have turned to alternative options. Will this hurt US businesses? Will the United States reappraise its data collection and data security policies?
According to EU authorities, twelve nations, including New Zealand and Canada, maintain data privacy laws that align with European requirements. As a result, EU companies can move data to such regions without additional layers of data security.
For EU-based organizations, complex data regulations have required businesses to devote extensive time and resources to these issues. And as a result, “privacy professionals are going to have to work hand-in-hand with security professionals more so than they ever have in the past,” says Caitlin Fennessy, research director for the International Association of Privacy Professionals.
Want more content delivered to your inbox? Sign up: Cyber Talk’s emails.