This past October, the European Court of Justice (ECJ) ruled to invalidate the long-standing Safe Harbor pact between the United States and the European Union. The Safe Harbor pact was established in 2000, and gave U.S. companies the right to transfer and store EU citizen's data stateside. The ECJ's decision was likely driven by recent revelations regarding data surveillance efforts by U.S. government organizations like the NSA. In light of this development, the European Commission and the United States recently agreed on a new framework for governing transatlantic data flows: the EU-US Privacy Shield.
In short, the objective of the new agreement is to enforce limitations, safeguards and oversight mechanisms governing access to EU citizen data by U.S. public authorities for law enforcement and national security. The EU has firmly stated that they will be heavily enforcing these rules and if broken they will once again not allow the transfer of European data to stateside servers.
So how exactly does the Privacy Shield differ from the the old Safe Harbor agreement? Here are some of the highlights and key differences:
Obligations on companies handling Europeans' personal data and robust enforcement
U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Agencies (DPAs).
Clear safeguards and transparency obligations on U.S. government access
The US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.
Effective protection of EU citizens' rights with several redress possibilities
Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities, and companies have mandatory deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.
How you can stay compliant
The new regulation is in its early stages, meaning that changes are still likely and enforcement of the framework has not been widely tested in courts of law. Luckily there are a few things that companies can do to minimize their exposure:
Physical Isolation of Data
The safest way to reduce your exposure is to make sure that EU citizen's data you handle stays in the EU at all times. Many online service providers, including SendSafely, offer regional isolation of customer data. With regional data isolation, you control where the service provider stores different classes of data based on policies or contractual requirements. For example, SendSafely offers European customers the option to store all data within our EU data center. Even though the files and messages you send with SendSafely are already encrypted before being uploaded (we never have access to your un-encrypted information), the regional isolation feature ensures that plain-text meta data such as email addresses and other contact information, stays within the EU at all times.
Use End-to-End Encryption
Using end-to-end encryption on protected data make it far less likely for this information to be disclosed due to unauthorized access, regardless of where it is transmitted/stored. With end-to-end encryption, files are encrypted before they are transmitted and are only decrypted on the systems that require access and have the proper decryption keys.
For example, SendSafely encrypts all files and messages on the sender's machine and those messages can only be decrypted by recipients that are in possession of the correct decryption keys. This means that nobody other than the sender and recipient can decrypt a given file without permission, which is enforced via access control restrictions along with the requirement to posess the correct decryption key. So even if an adversary gains access to the file storage location or circumvents access controls, they are still unable to access the file contents without the decryption key (which is distributed through separate means).
Enforce a "Lease Privilege" Data Access Model
Least privilege means that people and systems are granted access to information on a "need to know" basis. Using this model is helpful when provisioning access to protected data, like EU citizen's data, in order to minimize potential exposure. Granting fewer people and systems access to this information is a good way to reduce your overall attack surface.
Document your Information Security Policies
Having well documented security policies is critical for ensuring compliance. If one of your customers or vendors wants to audit your information security program, documented policies and procedures provide a clear starting point and baseline for whether adequate safeguards are in place. Be sure to include a data classification policy to identify protected data, and guidance on where protected data is stored. You'll also want to take extra percautions if using third party service providers to store or handle protected information. It is ultimately your responsibility to make sure you are contractually covered from a compliance perspective with third parties.
SendSafely: Simple to Use End-to-end Encryption for Email and File Transfer
If your business needs a simple to use secure file transfer platform that is compliant with EU-US Privacy Shield Framework, consider taking a look at SendSafely.