Last week we posted about the recent ruling by the European Court of Justice that deemed the Safe Harbour framework, in place to protect the security of European citizens’ data held in the US, invalid.
Amid the current environment of mass surveillance, brought to light by the revelations of Edward Snowden, MEPs supported by this latest ruling, are calling on the European Commission to “immediately take the necessary measures to ensure an effective level of protection equivalent to the protection ensured in the EU”.
The immediate impact on business is, in reality, limited at this point, but there is confusion about what is and isn’t acceptable for organisations on both sides of the Atlantic, handling EU citizens’ data in US based facilities and companies.
In the US, the Department of Commerce is still enforcing the Safe Harbour framework and is directing any related queries it receives to the European Commission. They are operating in a business as usual manner, until an alternative is agreed.
Data protection authorities across Europe have issued press releases for their respective countries, and these have been consolidated in an article published by Bird & Bird. The UK ICO, in his press release, has emphasised the need for action from the European Commission to define a clear and unified response to the ruling.
But also commented that the issue did not highlight a threat to personal data held in the US, but that it places obligations on organisations to protect this data.
It is understood that organisations that have placed reliance in the Safe Harbour agreement will take time to update their agreements and processes to meet any revised guidelines, but the ICO went on to state that there were a number of alternatives to Safe Harbour, which represents only one legal basis for EU-US data transfer.
Below are a number of steps organisations can take, that reduce their reliance on the Safe Harbour agreement for data privacy:
- Implement the use of EU approved model clauses
- Implement Binding Corporate Rules (applicable for multinationals)
- Utilise published exceptions (derogations) to European data protection legislation, which include but are not limited to situations where; an individual has provided consent to the transfer, the transfer is necessary for substantial public interest, or the data is part of a transfer of a public register.
- Invoke the ability of data controllers’ to self-assess adequacy of provisions in place to protect data
More information is available via the ICO website, including model clauses, and a guide to outsourcing for small and medium-sized businesses. Equivalent information will be available from Data Protection Authorities in affected jurisdictions.
Our team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including Data Protection, PCI DSS and ISO27001. We can provide consulting support to help you understand your Data Protection responsibilities.
We can also help you in designing, implementing and documenting appropriate security controls, procedures and policies to meet your obligations, all within a holistic cybersecurity framework that takes into account all other applicable standards or regulations that are appropriate for your business. For further information email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here