What is Safe Harbor / EU Privacy Shield?
Since the Edward Snowden leaks, the fear of EU citizens data being spied on by the US authorities led to the old rules (Safe Harbor) being kicked out by the European court of justice. Rather, the EU privacy shield was introduced as a replacement. It is basically an updated agreement between the EU and US to ensure that EU Citizens data gets treated by US companies the same way it would in the EU. Although the framework has been agreed the real substance around how this will work is still being worked out.
Insurers are concerned, should you be?
I wanted to write an article on this subject as I know it’s going to be something that will affect many of our clients. While I was working with a client and their Cyber Risk Insurer to implement an ISO 27001 Compliant program, our conversation turned to the new EU privacy shield. The insurers are extremely concerned about the new laws and if they are, it’s even more important that the rest of us are too. I suspect that if you transfer EU citizens’ data to the US these new laws will have a big effect on your cyber risk insurance premiums. Now there is still plenty of confusion about the regulations and a lot of the detail is still being confirmed, but there were some interesting points raised. I thought it would be wise to share these points, as not everyone is aware of the far reaching effects.
It appears that the EU Privacy Shield will mimic much of the self-regulatory structure of Safe Harbor. However, it includes much stronger enforcement fines. Although there is good news for small to medium businesses, these fines will be based on the size of the company.
Below is an idea of where they can cap out:
Fines
The EU privacy shield regulation provides for fines:
- Up to € 10 million or 2% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Implementation of a privacy by design and a security by design approach, as well as the performance of a data protection risk assessment in case of new technologies such as those of the Internet of Things
- Recording of data processing activities
- Data processor’s main obligations
- Notification in case of data breaches
- Appointment of a data protection officer (when necessary)
and
- Up to € 20 million or 4% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the
- Basic principles for data processing, including the conditions for privacy consent
- Individuals’ rights such as the right of access, the right to be forgottenand the portability right
- Transfer of personal data outside of the European Economic Area, which will be crucial in the view of the Privacy Shield now agreed as to the transfer of data to the United States.
Who should be concerned?
All companies that transmit EU consumer data to the US, regardless of size of business, should be taking note of what the EU Privacy Shield requires you to do. There’s no doubt that large companies who can afford to have EU data centers will be less concerned. Companies with data centers in the US should be making plans for changes, and those that rely on the cloud need to be starting conversations very quickly about where their EU data is held.
If your company transfers EU citizens data to the US and would like to find out a little more about how we can help you stay on the right side of EU privacy shield, please connect with me.
Tiro Security is a boutique Information Security recruitment and professional services firm who focuses on helping larger companies staff their teams and small to medium businesses improve their security posture.