Just as data security becomes a major focus for businesses of all types and some organizations figured they have a handle on data protection, the European Court of Justice issued a new judgment that nullifies Safe Harbor, otherwise known as the European Commission's Decision 2000/520/EC of 26 July 2000. The court determined that the data privacy policies of Safe Harbor are not adequate enough in regard to the transferring of data between the U.S. and EU. Simply put, this spells trouble for businesses around the world.
This all started when a citizen of Austria filed a complaint with Ireland's Data Protection Commissioner. The assertion was that the U.S. does not enforce data privacy regulations that would prevent public agencies from performing surveillance on EU citizens when their data is sent from the EU to the U.S. Right away, Irish authorities struck down the complaint, pointing specifically to Safe Harbor as a reason why. However, the case was escalated to the High Court of Ireland, and soon, the EU Court of Justice ruling was delivered. Long story short, Safe Harbor is now void.
"The EU Commission is working on a new agreement with the U.S. in regard to data privacy."
What's after Safe Harbor?
As a note, and perhaps in a gleam of hope, the EU Commission is working on a new agreement with the U.S. in regard to data privacy and the protection of personal information. The two governments want to ensure that data is adequately secured and that citizens have nothing to worry about with respect to their privacy. Most importantly, Commissioner Vera Jourova told the Committee on Civil Liberties, Justice and Home Affairs that "self-certifications" such as Safe Harbor are effective at ensuring data security, but in its past state, Safe Harbor was not sufficient.
Enterprises around the world should prepare to upgrade their IT systems and cybersecurity practices to make them compliant with whatever new frameworks are introduced as industry requirements and regulations.
Uncertainty is in the air
At the present, many organizations – from both the U.S. and EU – are requesting cybersecurity frameworks for U.S.-EU data transfers sooner rather than later, according to TechCrunch. The source cited a report written by Bridges – a group of scholars from the U.S. and EU – which advocates for policies and regulations that are "globally-accepted" and representative of the capabilities and cultural differences of the nations in question.
Meanwhile, The Electronic Frontier Foundation, the U.S. Center for Digital Democracy, Privacy International and the European Consumer Organization slammed the Bridges report, asserting that it is "remarkably out of touch" with today's cybersecurity climate, TechCrunch stated. In essence, the EFF and its affiliates don't believe that self-regulation is the solution. In response, Daniel Weitzner, a Bridges report contributor, said that his group doesn't suggest self-regulation but rather argued that the Federal Trade Commission must work closely with EU data privacy organizations to develop "user control technologies."
While new agreements and frameworks are being formed, German data privacy officials are taking the matter into their own hands. According to Computerworld, Hamburg's data protection registrar will start investigating American companies that have offices in Germany and registered themselves with Safe Harbor. The German agency will try to solve many problems as well as conduct these audits, and primarily, these will try to determine what the best solution to data privacy and data transfers is – binding corporate rules, model clauses or self-regulation frameworks? – while weeding out the regulations and guidelines that are currently insufficient.
What's the solution?
Enterprises need to think fast about data privacy. German officials stated that if U.S. companies sending data overseas and back are still adhering to Safe Harbors guidelines, those agencies will prevent data transfers, the source explained. In the meantime, no new data transfers can be established out of Germany. This could just be the start of a new world of extremely strict data privacy regulations.
"Regardless of where data is stored, cryptography is a best practice."
One solution for dealing with data protection in the EU was laid out by Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, as he simply suggested storing consumers' private information in data centers in the EU, as reported by Computerworld. At first glance, this might seem like a challenge for major enterprises and brands, especially with such a reliance on cloud services nowadays, but therein is the solution: U.S.-based merchants can sell products overseas and maintain data privacy by working with payment processing firms that offer cloud services based in data centers which are located in EU countries. This way, personal information and payment card data remains in the EU, yet still provides value to merchants. Alternatively, EU-based retailers can do the same, outsourcing their payment processing to U.S. data centers.
Another solution lies in technology. Enterprises just need to protect sensitive data in a sufficient fashion, and often, this means that encryption, tokenization and cryptographic methods of data security are required to ensure that no hackers, government agencies or unauthorized employees can view private information. Regardless of where data is stored, cryptography is a best practice.
To ensure complete compliance and data privacy at all times, merchants should leverage both tokenization and rely on EU-based cloud services. Payment processing and security firms will not only process consumer data in those shoppers' country of origins, but it will obfuscate the information, guaranteeing privacy.
Time will tell in this data privacy situation, but that doesn't mean organizations around the world shouldn't act as soon as possible. After all, strong data protection practices are all it takes to ensure private information remains private.