Nobody is more aware of our shrinking world than technology executives. They are also in a good position to see that contradictory requirements in the areas of data protection and privacy have created a confusing patchwork that, at times, runs counter to a global marketplace that places a premium on close collaboration and the smooth transfer of digital information.
Most companies are extremely diligent about complying with their cybersecurity legal obligations, but wildly inconsistent laws make it difficult. Some of the inconsistencies can be traced to deep historical and cultural differences between the United States and Europe. In comparison to the EU, the United States has traditionally offered a far more open framework when dealing with information. In litigation, U.S. laws have typically been more about sharing — even erring on the side of being overly inclusive.
The most significant piece of U.S. federal legislation in this area is the Cybersecurity Information Sharing Act (CISA), passed last December. The stated purpose of CISA is to promote sharing about cybersecurity and new threat vectors between the government and the private sector. The underlying idea is to remove barriers that kept the technology industry, which often is aware of new viruses or technical threats before the public sector, from sharing the information with the government, in an effort to inform and warn the public.
Although the public would certainly benefit from this kind of collaboration, companies remain reluctant to share such information because CISA does not shield them from the possibility of a lawsuit. Further complicating things, complying with CISA could produce some very severe consequences if a company also conducts business in Europe and shares any personal data of EU nationals, since the EU has a much stronger tradition of nondisclosure.
However, Safe Harbor suffered a huge blow when the European Court of Justice ruled that the European Commission’s approval of the program was invalid. Unfortunately for technology companies, this means the Safe Harbor route is no longer a valid basis upon which personal data can be transferred from the EU to the U.S. Even worse, there is currently no clear guidance as to what will be a properly valid route to effect such a transfer.
Sign up for CIO Asia eNewsletters.