Safe Harbour may be gone but its replacement is far stricter, explains Justin Clarke, director of underwriting and pricing at NIG

Justin Clarke Cyber

Late last year the EU scrapped Safe Harbour, its 15-year data-transfer agreement with the US. It said the agreement failed to protect European customers’ personal information stored on US servers.

Impossible to deny after former CIA employee Edward Snowden exposed government surveillance on servers owned by nine giant tech and internet firms – Google, Yahoo, Facebook, and Microsoft included.

It was clear US regulations fell short

In fact, Facebook were taken to court over the breach, prompting the European Court of Justice to strike down the Safe Harbour law. Why? Because it’s illegal to transfer data to countries with inferior data privacy rules. And it was clear US regulations fell seriously short.

After months of legal limbo, this July the European Commission rubber-stamped Privacy Shield, a replacement agreement with far stricter regulations and restrictions – and penalties for non-compliance. Its aim: to “ensure a high level of protection for individuals, and legal certainty for business”.

A stronger shield, vigorously enforced

Under Privacy Shield, US companies need to take steps to better protect European data held in the cloud. That includes publicly self-certifying they’ve complied with the stricter safeguards.

The FTC has powers to fine businesses breaching US data privacy laws

In a letter outlining the US commitment to overseeing compliance with the Privacy Shield framework, Edith Ramirez, Chair of the Federal Trade Commission (FTC), vowed to engage in “vigorous enforcement” of the Privacy Shield. The FTC has powers to fine businesses breaching US data privacy laws, including those required by Privacy Shield. (source)

What’s more, Europeans can complain to an ombudsman about improper data usage or surveillance. And the US has said it won’t conduct “indiscriminate mass surveillance” of data. (source)

The impact on UK businesses

Any EU business transferring customer information to the US or other countries must comply with EU data privacy laws. Think tech companies, and those using overseas services for payment processing, cloud storage, and web hosting. It’s a wide net that includes many British businesses.

Failing to comply with EU data privacy laws could result in hefty fines, along with the inevitable damage to customer trust and corporate reputation. And all it takes is unknowingly sending data to a US business that hasn’t subscribed to Privacy Shield.

Privacy Shield or GDPR?

Let’s not forget the EU’s GDPR (General Data Protection Regulation).

When it comes into effect on 25th of May 2018, companies will have to adopt data protection and privacy policies, including IT services. If they fail to report breaches, they could face fines of up to 4% of global turnover.

In the meantime, British businesses might be better off focusing on GDPR compliance since it requires greater accountability than Privacy Shield.

This could involve steps like appointing a data protection officer and undertaking data protection impact assessments. (source) That said, we think it makes sense to understand and prepare for both Privacy Shield and GDPR regulations.

Compliance confusion

One in five IT professionals didn’t know how the new regulations would affect them

In a survey by data security firm Ipswitch, 77% of British businesses said keeping up with changing data privacy regulations was a financial burden.

Alarmingly, one in five IT professionals didn’t know how the new regulations would affect them – despite already storing and processing customer data. And more than a third didn’t know if their IT policies and processes were up to the job. (source)

David Juitt, Chief Security Architect at Ipswitch, said, “Whilst IT professionals recognise the need to align data protection regulation to keep up with modern data sharing practices and the globalisation of data, it is clear that compliance comes at a price for most.” (source) But the cost of non-compliance is surely a heavier burden to carry.

How to comply


So how can businesses ensure they comply with Privacy Shield and GDPR obligations? Start with the following:

  • Talk to their cyber insurance provider to understand what’s required.
  • Consider taking out a specialised cyber insurance policy.
  • Train and educate staff on data protection and their obligations.
  • Implement a data management programme.
  • Review their IT and privacy processes and policies.
  • Ensure third-party contracts sufficiently safeguard personal data – such as contracts with online payment and cloud storage providers.

Insurers also need to understand the GDPR and Privacy Shield, so they can set realistic premiums and advise their customers on compliance.

What about Brexit?

Let’s look at another cyber security conundrum. When the UK leaves the EU, will British businesses still have to comply with the GDPR and Privacy Shield? And what happens to European data stored on UK servers – especially since tech giants Microsoft and Amazon Web Services are poised to open data centres here?

Josh Hardie, Deputy Director General of the Confederation of British Industry (CBI) said, “Ensuring UK firms can continue to seamlessly transfer data between our biggest trading partners will be an important priority for our future economic relationships post-Brexit.” (source)

The ICO (the UK’s Information Commissioner’s Office) thinks that won’t be a problem. It said even after leaving the EU, the UK will likely continue with the same laws and regulations, including Privacy Shield. (source)

Getting prepared

Despite the uncertainty, British businesses should begin focusing now on how they store, protect, and manage customer data. Lynn Collier, Chief Operating Officer at digital transformation company HDS UK said, “British consumers and businesses should begin making contingency plans to determine the path to compliance and to ensure their personal data and the data they look after is fully protected, regardless of the implications from Brexit.” (source)

At NIG, we couldn’t agree more.

cyber insight 2016