On February 2, the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows. The new framework—the EU-U.S. Privacy Shield—succeeds the previous Safe Harbor agreement ruled invalid late last year.
It is expected to retain or enhance many of the elements contained in the original framework, including commitments by U.S. companies to give appropriate notices to EU citizens, maintain the security of transferred data, and tighten restrictions on any forward transfers.
These points are so important to business. To succeed in this new environment, U.S. companies must:
- Roll-out company-wide initiatives to protect customer data as if it were their own.
- Protect data at all levels with end-to-end encryption, authentication and access controls.
- Be transparent about their compliance with the new ruling, as it will help them to retain customer trust in the long run.
Yet for all the debate around the transfer of data and the as-yet unspecified safeguards that U.S. companies must abide by, there is one elegant solution to protect and secure European data not considered by the dealmakers. They could simply have ensured that the keys used to encrypt data reside in the EU. This way, regardless of where the encrypted data goes, it remains safe.
This puts security at the front and center of business, and communicates how important a company values their customers’ data security.
We’ve seen how damaging security breaches can be both financially and from a reputation perspective for any kind of organization. So it’s imperative that, from the CEO right down through every level of a business or public body, the detrimental effect that poor security can have on a firm is understood.
Under the EU-U.S. Privacy Shield, EU citizens stand to gain a clearer understanding of how their data is used, with additional measures to lodge and process complaints. The U.S. Director of National Intelligence is also expected to confirm by official letter to the EU that U.S. intelligence agencies do not engage in “indiscriminate mass surveillance” of data transferred under the new arrangement.
There will also be an annual joint review by the European Commission and U.S. Department of Commerce to gauge how the agreement is functioning, which will include a review of access by U.S. intelligence agencies to EU-originating data.
This is sensible, and the new framework needs to be respected. Compliance must be seen as both a responsibility essential to the success of each business, and the continuation of the agreement.
What are your thoughts on the new framework? Do you think U.S. companies and EU citizens will benefit? Let me know in the comments on @Gemalto.