darren whittingham - Fotolia
The European Union announced an agreement in principle with the United States on new rules surrounding data sharing between enterprises and governments in the two regions. The details of the new data sharing agreement are expected to be finalized in the coming months.
Organizations had relied on the Safe Harbor pact, which allowed American businesses to "self-certify" that they complied with more rigorous European Union privacy protection laws. Regulators were already discussing the new rules earlier this month when the European Court of Justice invalidated the Safe Harbor pact because the U.S. lacked legislation governing certain privacy rights, and the U.S. approach to domestic surveillance and data practices did not meet the E.U. standard.
The rules themselves are still a mystery, but European Justice Commissioner Věra Jourová said in a statement that "a system based on 'self-certification' such as the Safe Harbor is acceptable given provided there are 'effective detection and supervision mechanisms.'" She went on to say that "the US has delivered on this by committing to stronger oversight by the Department of Commerce, stronger cooperation with European Data Protection Authorities and priority treatment of complaints by the Federal Trade Commission." Jourová said this would "transform the system from a purely self-regulating one to an oversight system that is more responsive as well as pro-active and back[ed]-up by significant enforcement, including sanctions."
Kurt Hagerman, CISO for Armor Defense Inc., said he expects the new framework will contain more robust and prescriptive requirements that U.S. enterprises will need to follow to meet E.U. privacy standards.
"These will likely include more clear statements on the usage and sharing of data as well as protection mechanisms and more robust reporting and attestation requirements," Hagerman said. "I would also expect that companies will be more likely to have to demonstrate how they are meeting these requirements in a more robust manner than simply answering some questions. Finally, U.S. businesses need to understand the impact of the new General Data Protection Regulation on their practices and be prepared to have a fairly short time period to implement them."
Hagerman also said there is likely to be more commitment on the part of the U.S. to oversee the program including enforcement activities, but more clarity is needed in terms of data access.
"The key element still to be worked out is around U.S. law enforcement access to data and that it must be subject to clear conditions and limitations," Hagerman said. "I don't see the U.S. as having much room to negotiate on this and believe we will see some additional requirements around access to E.U. persons data held by U.S. companies."
Find out more about how E.U. data protection regulations work