Last month, the European Court of Justice (ECJ) created a shift in paradigm when it ruled the Safe Harbour agreement with regards to data transfer from the EU to the US was invalid.
The ruling created a ripple effect across the Atlantic for US companies that relied on Safe Harbour as their sole compliance mechanism, and that thought the ECJ would never invalidate it.
What the ruling demonstrated was that the ECJ was not opposed to standing up against US data processing practices and that in future new provisos and agreements had to be struck that had the interests of EU citizens at heart.
The root of the problem comes from the fundamental difference between the EU’s expectation of privacy and the US belief in freedom of information, and growing the global marketplace, despite the potential negative effect on a citizen’s fundamental right to protect their personal data.
This philosophical difference is not something that will be easily remedied. However, there are proven and feasible solutions for companies that work in both environments and achieve the standards of data protection required by the EU.
One such example is the implementation of Binding Corporate Rules (BCRs), which is the highest level of compliance companies can achieve in the EU. The development of BCRs is a complex process that encompasses detailed scrutiny by national Data Protection Authorities (DPAs) and binds companies to a rigid compliance process. To date, less than 30 companies have reached BCR status.
The upcoming revision of the current EU data protection directive will also substantially change the compliance landscape. The General Data Protection Regulation (GDPR) that has been timetabled to come into force at the beginning of 2016, with companies required to be compliant by 2017, will replace the current EU Data Protection Directive.
The intent of the GDPR is to provide a uniform piece of regulation whose requirements will be standardised across the entire European Economic Area (EEA), ensuring personal data is subjected to the highest levels of security, privacy and protection, but without hindering the growth of trade through the creation of a European single digital market.
Both the Safe Harbour ruling and the pending changes to EU Data Protection Directive show that the situation is in a constant state of movement and fluidity. What is most important for businesses on both sides of the Atlantic to consider is keeping abreast of the latest developments and working hard to understand the impact of their data handling within the framework of fluctuating laws.
By ensuring compliance from a data collection, storage and processing standpoint, companies can avoid the risk of legal action from the individuals whose data is being handled. This is all the more important if, under the new regulation, companies found to be breaking the law could be fined up to 5% of their annual revenue.
This is where technology providers can become trusted advisors and offer greater value to their customers. In today’s world where data has the same if not greater value than currency, companies will look to those that not only understand the changes to the law, but can offer solutions and advice to ensure companies, and the data they hold are protected.
At a basic level, understanding data management across all the different IT infrastructure environments now available to companies is a must. Whether it’s on-premise, public cloud, private cloud on-premise, hosted private cloud, collocated storage, or a combination of all of these, companies must be able to control and manage the stored data.
Effective privacy compliance and data control are the only ways that companies operating on both sides of the Atlantic will be able to handle the current and upcoming changes to EU data protection laws.
While many cite local data centres as the answer to data transfer concerns, in reality this is not a feasible remedy in the short term, and could create more issues for businesses down the road.
The Safe Harbour ruling signals the need for data management that maximises the value of data as an asset and removes locational barriers to privacy and compliance.
Sourced from Sheila FitzPatrick, chief privacy officer, NetApp