Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

U.S. and EU tech companies at sea with end of data Safe Harbor

Steven Rubin and Stephen Milne | July 27, 2016
New EU regimes are under consideration, but currently uncertainty reigns

Nobody is more aware of our shrinking world than technology executives. They are also in a good position to see that contradictory requirements in the areas of data protection and privacy have created a confusing patchwork that, at times, runs counter to a global marketplace that places a premium on close collaboration and the smooth transfer of digital information.

Most companies are extremely diligent about complying with their cybersecurity legal obligations, but wildly inconsistent laws make it difficult. Some of the inconsistencies can be traced to deep historical and cultural differences between the United States and Europe. In comparison to the EU, the United States has traditionally offered a far more open framework when dealing with information. In litigation, U.S. laws have typically been more about sharing — even erring on the side of being overly inclusive.

The most significant piece of U.S. federal legislation in this area is the Cybersecurity Information Sharing Act (CISA), passed last December. The stated purpose of CISA is to promote sharing about cybersecurity and new threat vectors between the government and the private sector. The underlying idea is to remove barriers that kept the technology industry, which often is aware of new viruses or technical threats before the public sector, from sharing the information with the government, in an effort to inform and warn the public.

Although the public would certainly benefit from this kind of collaboration, companies remain reluctant to share such information because CISA does not shield them from the possibility of a lawsuit. Further complicating things, complying with CISA could produce some very severe consequences if a company also conducts business in Europe and shares any personal data of EU nationals, since the EU has a much stronger tradition of nondisclosure.

Previously, companies could balance the competing responsibilities between the two marketplaces by relying upon an approved “Safe Harbor” regime that allowed them to officially sign up to confirm that they adhered to a framework that had been developed by the Department of Commerce (DOC) in the U.S. and the European Commission. This essentially meant that they gave binding promises to the DOC and the public that they complied with privacy policy requirements and provided adequate protections for personal data sufficient to allow transfers of personal data from the EU to the U.S.

However, Safe Harbor suffered a huge blow when the European Court of Justice ruled that the European Commission’s approval of the program was invalid. Unfortunately for technology companies, this means the Safe Harbor route is no longer a valid basis upon which personal data can be transferred from the EU to the U.S. Even worse, there is currently no clear guidance as to what will be a properly valid route to effect such a transfer.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.