The announced ‘EU-US Privacy Shield’ agreement regulating data transmitted across the Atlantic ocean will require all EU commercial organisations to ensure that data transmitted is well protected from privacy and security attacks.
- Every organisation involved in EU-US trans-Atlantic data transmission should be aware of the “Privacy Shield” details.
- The EU-US Privacy Shield agreement imposes stronger than expected security regulations.
Commission vice-president Andrus Ansip and Justice Commissioner Vera Jourova said in a statement : “It is fundamentally different from the old Safe Harbour: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”
Commercial trans-Atlantic data transfer regulations provisionally agreed by the US and EU in February 2016 have now been approved by EU member states. This agreement now enables the regulations to come into effect. This is expected to take place within two weeks. The agreement is referred to as the ‘EU-US Privacy Shield’.
While EU member states have previously resisted US proposed ‘Safe Harbour’ data security regulations protect the security and privacy of trans-Atlantic data flows due to member states’ dissatisfaction with the regulations’ strength; the ‘EU-US Privacy Shield’ is seen to impose stronger regulations of transmitted and off-shore shared and stored data and impose tougher penalties for breaches.
The ‘EU-US Privacy Shield’ agreement, designed to protect the privacy and security of data transmitted across the Atlantic ocean, puts in place a range of obligations for commercial organisations transmitting, sharing, storing and otherwise using EU member states’ data within the US.
Ansip and Jourova said the implications for commercial organisations are stronger protection of high-value data transfers annually such as businesses and financial transactions including payroll and human resources information and Big Data used in online advertising and other digital services that are crucial to trans-Atlantic and international business.
EU-US data transfer pact clears final hurdle
A commercial data transfer pact provisionally agreed by the European Union and United States in February has received the green light from EU governments, paving the way for it to come into effect next week.
The introduction should end months of legal limbo for companies such as Google, Facebook and MasterCard after the EU’s top court struck down the previous data transfer framework, known as Safe Harbour, over surveillance concerns.
Representatives of EU member states mostly voted in favour of the EU-US Privacy Shield, but there were abstentions from Austria, Slovenia, Bulgaria and Croatia.
Austria and Slovenia have voiced concerns that the pact does not go far enough to secure their citizens’ privacy.
The new framework will underpin over US$250 billion (A$330 billion) in trans-Atlantic trade in digital services annually by facilitating cross-border data transfers that are crucial to international business.
“Today member states have given their strong support to the EU-US Privacy Shield, the renewed safe framework for transatlantic data flows,” Commission vice president Andrus Ansip and Justice Commissioner Vera Jourova said in a statement.
The EU Commission will formally adopt the Privacy Shield on Tuesday.
Senetas High-Assurance Security Comments
The implications for EU businesses of the EU-US Privacy Shield agreement will be first felt by commercial organisations regularly transmitting, sharing and storing data across the Atlantic. That mandates the security of all data transmitted across high-speed data networks.
European regulators have been increasingly treating digital information – data – as very high value assets, critically important to international trade and EU countries’ economies, as well as being critical to the privacy and safety of their countries’ citizens. Regulatory compliance is both increasingly mandated and followed up with significant financial penalties (e.g. 4% of business annual turnover).
Importantly, European regulators are catching up with data lifecycle security issues and risk exposures. They increasingly understand data life-cycles and the underlying technologies that expose data to serious risks. Additionally, regulators are focusing on cyber-criminals most popular data targets. Large volumes of often unprotected (not encrypted) data streaming across the Atlantic!
Whether the business and technology applications are: gathering, sorting, analysing and sharing (Big Data); in-house or outsourced including SaaS and Cloud services; or stored, backed up, accumulated and warehoused in-house (data centres), off-shore or locally by data centre service providers; regulators recognise data security and citizen privacy as essential to their countries’ economic reputations as a secure place in which to do business and protect their citizens and commercial organisations from harm.
The European regulators also understand the risks to data at rest; data in motion across networks; stored /archived and back-up data; and shared data – the data life cycle.
Data security regulations such as the EU-US Privacy Shield impose strict rules and responsibilities as well as penalties that force commercial organisations to act responsibly at all points throughout the data lifecycle.
However commercial organisations acquire, use, share and store data; and whether the data is in-house, held by service providers locally or across borders; the EU-US Privacy Shield is one significant step towards protected intellectual property, business secrets and citizen privacy; and protection from serious business disruption. Through significant regulatory requirements and serious penalties for non-compliance the EU sees that its annual US$250billion trans-Atlantic trade is well protected.