@elliehurstactive 6 months, 2 weeks ago
European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?
Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.
For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.
The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.
In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.
Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely.
A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?
However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.
How can any company hosting data inside the US offer this? In reality they probably cannot.
The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.
The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.
So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.
With changes to the EU Data Protection regulations imminent, I asked one of the Advent IM Consultants to put together a brief guide that might help businesses. This was originally posted on our own blog and is reproduced below.
GDPR (General Data Protection Regulation)
This January the European Commission revealed a draft of its GDPR. The European Commission is hoping to introduce the GDPR by this end of 2015 to replace the outdated EU Data Protection Directive 95/46/EC as this current standard is not really inadequate to deal with issues such as globalization, Social networks, Cloud Computing etc etc.
The GDPR is a Regulation and not a directive and so this means it will have immediate effect on all 28 EU member states after a 2 year transition period.
The GDPR includes a strict data protection compliance regime with severe penalties of up to 100M euros or up to five percent of worldwide turnover for organisations in breach of its rules.
What should it achieve?
The GDPR should provide a single set of regulations for data protection across the EU which deal with the current global environment and the advances made in communication technology and foster a baseline standard of data protection across the EU.
Non EU Businesses may still have to comply with the Regulation.
Non EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge given the huge proposed fines, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
The definition of personal data will become broader, bringing more data into the regulated perimeter.
The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as the genetic, mental, economic, cultural or social identity of an individual. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
Rules for obtaining valid consent will change.
The consent document should be laid out in simple terms, and there is a proposal that the consent have an ‘expiry date’. Silence or inactivity should not constitute consent.
The appointment of a data protection officer (DPO).
At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.
The introduction of mandatory privacy risk impact assessments.
A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.
The Introduction of data breaches notification
The Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is still subject to negotiations at present. The reporting of a data breach is not subject to any minimum standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. Individuals have to be notified if adverse impact is determined.
The right to erasure.
The right to be forgotten has been replaced by a more limited right to erasure. A data subject has the right to request erasure of personal data related to him on any one of a number of grounds.
A user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system.
If you or a client need any further assistance with anything regarding Data Protection or Cyber/Information Security, just drop me a note.
The Right to be forgotten and other legal privacy issues. How does this get managed when data is global but legislation is local? Cyber has removed geography but where does that leave us when trying to handle legal issues around personal information and who gets to use or access it?
The ICO has issued a warning shot across the bow of legal firms, after 15 data breaches in 3 months. Rather than issue financial penalties, the information watchdog has chosen to issue a very public warning… more on the link
Our MD, Mike Gillespie was speaking on BBC Radio 5 Live and BBC Radio Scotland about this disastrous data breach. There will be audio files soon for those who want to hear his comment and advice. Watch this space.
One of the facts that has emerged so far is that this hack was in fact enabled by a spear phishing attack. For those of you who don’t know what this is, you are not alone. One if four UK employees does not know what phishing is and this major breach is a good example of why we have to get on top of security awareness training.
Phishing is when an untargeted,unsolicited email, purporting to be from a valid source, such as a bank, invites you to click on a link or open a file. This is normally accompanied by some vague ‘issue’ such as suspicious account activity or the suspension of your account. Many of us can spot them on sight now as they are usually unsophisticated and badly spelled though this is starting to change. The payload is normally malware or spyware and might do anything from stealing logins, keystrokes or financial details.
Spear phishing is targeted at specific individuals and is normally more carefully constructed usually using some knowledge of them and with a specific purpose in mind. This may be access to a particular database, as it would appear in this case. The target may have been observed on social media or in person to establish some means of dialogue or establishing trust. this will increase the likelihood of the email being opened and activated and therefore the payload being delivered.
You may also have heard of Vishing or voice phishing and is probably best exemplified by the ‘Microsoft’ support call scam. This is when you receive a random call out of the blue from someone claiming to work in tech support for someone like Microsoft who tell you they have identified malware or issues on your PC and tell you they need access to it to clear it up for you. They will get the target to open up their PC normally by frightening them with stories of awful failures on their PC and may go as far as getting them to open up the PC’s event viewer which will show a few red flags or failures (which is normal) this will then be passed off as justification for the intervention – proof if you like, of their timely intervention. This harmless activity then is used as the means of attack on an unsuspecting victim and their system is made vulnerable as they open up their PC to get it ‘fixed’.
This last one as well as being particularly cynical is also a cause for concern for employees who work from home or are mobile. Training staff in what they should or shouldn’t do, regardless of their geography has never been more important as cyberspace has no geography.