Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What You Need to Know: Navigating EU Data Protection Changes – EU-US Privacy Shield and EU General Data Protection Regulation

Home
Industry Insights
What You Need to Know: Navigating EU Data Protection Changes – EU-US Privacy Shield and EU General Data Protection Regulation

Blog Article Published: 07/12/2016

By Marshall England, Industry Marketing Director, Technology & Cloud, Coalfire

If you’re an organization with trans-Atlantic presence that transmits and stores European citizen data (e.g. employee payroll & HR data, client & prospect data) in the U.S. you will want to pay attention. What we will discuss was administered under the European Union’s Data Protection Directive and a previous EU-U.S. agreement called Safe Harbor. We will cover what happened, what’s next, new rules (and penalties) that are set to go into effect and our recommendations.

What Happened?

Safe Harbor, invalidated by a European Court of Justice (ECJ) ruling (PDF) in October 2015, allowed companies to transmit and store EU citizen data in the US so long as the U.S. companies agreed to meet requirements as described in Decision 2000/520/EC otherwise known as ‘Safe Harbor Privacy Principles’. The European Court of Justice ruled to invalidate the Safe Harbor agreement as it determined that US companies were not able to meet Safe Harbor Privacy Principles as they conflicted with National Security Agency or other government agency subpoenas request for information and other government data collection programs. Data on EU citizens was found as a result of US government surveillance program information being made public. In other words, if U.S. companies were complying with Safe Harbor Privacy Principles, that information would not have been found or made public as a result of those programs.

What’s Next…

EU-FlagIn early February 2016, the US Department of Commerce and the European Commission announced a new framework called the Privacy Shield. Since then, a group known as the Article 29 Working Party, Europe’s data protection body, issued its own statement (PDF) about the Privacy Shield framework and expressed their reservations regarding the adequacy of the “Privacy Shield.” On July 8, 2016 the European Union Member States Representatives approved the final version of the Privacy Shield. The new Privacy Shield framework allows for transatlantic data transmission and outlines obligations on companies handling the data, in addition to written assurances from the U.S. that among other items rules out indiscriminate mass surveillance of European citizens’ data.

Additionally, in early 2016 the European Union enacted a new data protection framework that has been in the works since 2012, known as the General Data Protection Regulation. This new Regulation repeals and replaces the pre-existing European Union’s Data Protection Directive. While not much has changed in the new ‘Regulation’ U.S. companies should note that policies and procedures as it relates to employee data transmission from the EU to U.S. be updated as well as be aware of new penalties. The new rules of the Regulation (and penalties) “will become applicable two years thereafter.” So, in 2018, the rules and penalties around the General Data Protection Regulation will go into effect.

New Rules that will go into effect (enforceable, starting in January 2018):

  • Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

New Penalties that will go into effect (enforceable, starting in January 2018):

Pay-finesUnder Article 79 of the Regulation, penalties and enforcements are described for Organizations less than 250 personnel and Enterprises. Violations of certain provisions for Enterprise organizations (> 250 employees) will carry a penalty of “up to 2% of total worldwide annual [revenue] of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual [revenue] of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organization.”

What should U.S. companies consider?

What-to-do_bThere are a few options we’ll highlight here such as conducting Privacy Assessments with Privacy Shield and GDPR regulations in mind, ISO 27001 / 27018 certification, cyber risk program development to include vendor risk management, incident response planning and cyber risk assessments.

What to do – Privacy Shield

As it relates to the new EU-U.S. Privacy Shield, companies should review and be aware of the legal requirements outlined in the Privacy Shield (PDF). For certified Safe Harbor organizations, continue to abide by those elements within Safe Harbor, as you still have an obligation to protect EU data transfers, and begin to incorporate the Privacy Shield requirements as you will have to obtain certification (in-house or third-party) to gain listing on the Privacy Shield website maintained by the Department of Commerce.

Specifically, “It requires participating U.S. organization to develop a conforming privacy policy, publicly commit to comply with the Privacy Shield Principles so that the commitment becomes enforceable under U.S. law, annually re-certify their compliance to the Department (of Commerce), provide free independent dispute resolution, to EU individuals, and be subject to the authority of the U.S. Federal Trade Commission (“FTC”), Department of Transportation (“DOT”), or another enforcement agency.”

New requirements for Privacy Shield participating companies as outlined on the Commerce.gov site include:

  • Informing individuals about data processing
  • Maintaining Data Integrity and purpose limitation
  • Ensuring accountability for data transferred to third parties
  • Cooperating with the Department of Commerce
  • Transparency related to enforcement actions
  • Ensuring commitments are kept as long as data is held

What to do – EU GDPR

Under the new EU General Data Protection Regulation (Chapter 4, Section 2), not only is there also a requirement for an annual assessment, but the Regulation requires for data breach notification, incident response planning and security awareness training for staff involved in the data transmission process.

As it pertains to incident response plan and handling, the regulation stipulates notification to a supervisory authority within the European Union within 24 hours and notification to data owners without undue delay. Having an incident response plan in place will be critical to an organizations ability to respond to a data compromise incident.

On vendor risk management, Article 26 stipulates that subcontractors cannot process or transmit data on behalf of the organization (e.g Data controller). Since most organizations have programs for vendors to access systems or assist in data management, you’ll want to evaluate your vendors’ security and risk posture, since you could be affected by their negligence and entangled into one of those 2% or 4% of total revenue fine situations.

There are many other certifications and services that organizations should consider if they are not being done already including ISO 27001/27018 certification and attestation, privacy assessments and vendor risk management services to ensure data processors participate with Privacy Shield requirements and GDPR regulations.

ISO 27001 AND 27018 Certifications are an international security framework for securing information systems. ISO 27001 establishes an Information Security Management System and is an independent verification that your organization meets the ISO 27001 security standard.

ISO 27018 is a compliment to ISO 27001 and specifically focuses on protecting Personally Identifiable Information (PII) transmission and storage in the cloud. For Data Controllers and Data processors, meeting ISO 27018 will provide your organization with a method to establish control objectives, controls and guidelines for implementing measures to protect PII in the cloud in accordance with privacy principles in ISO/IEC 29100.

In Conclusion

The finalized Privacy Shield and the updated EU General Data Protection Regulation will require U.S. Companies to make EU citizen privacy a paramount priority to avoid any ramifications from EU regulations. Contact Coalfire to discuss any of the above information. Where needed we can also pull in our partner law firm to further educate and provide guidance on the updated EU privacy and data changes.

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.