CS Nov-Dec 2020

More documents

Recommendations

Info

Data privacy BEYOND THE EU-US PRIVACY SHIELD: WHAT'S NEXT FOR EUROPEAN ENTERPRISES? A NEW RULING HAS SHAKEN UP HOW THE EU AND U.S. REGARD DATA PROTECTION AND DATA PRIVACY comes to processing and using data, namely: For more effective monitoring and control of an entire population For the pursuit of one's own geopolitical interests For the benefit of specific economic interests With focus on data protection and the rights of individuals. Cloud computing and the networking of a wide variety of systems mean many European companies send data streams to the United States, where the international market leaders, the so-called 'big players', are based. The ECJ's ruling means there are many enterprises that are compelled to act now. The European Court of Justice (ECJ) judgment invalidating the EU-US Privacy Shield has caused uncertainty for many enterprises and presented them with challenges on how to handle private data. In the long term, this ruling offers European enterprises valuable chances for reassessing data-driven business models and re-imagining them in a way that is compliant with the required protections of personal data. Things may not be so simple for US enterprises seeking trade in Europe. As with its predecessor, the Safe Harbour Privacy Principles, overturned in 2015, the EU- US Privacy Shield determined that transferred data in the United States was not sufficiently protected under the current EU law (GDPR) demands. Standard Contractual Clauses, which constitute the foundation on which many enterprises transfer data to the USA, continue to be valid. If, however, it turns out that, despite these clauses, data protection in the United States (in real and concrete cases) does not take place, this last remaining legal basis will undoubtedly be invalidated as well. Private digital data is increasingly valuable and is a highly sought-after resource - 'the new gold'. There are different motives when it We asked Cryptshare CEO Mark Forrest to offer his thoughts on what has transpired: What are the key takeaways from this ruling? Mark Forrest: This ruling did not take place in a vacuum. We are looking at 20 years of legislation: From the Safe Harbour Privacy Principles to the EU-US Privacy Shield, the practice of self-certification had enabled companies to tick a box and say, "Yes, we comply". They did not have to prove their compliance, rather their non-compliance had to be proven. This practice has now been ruled invalid. European legislation demands that privacy requires specific top priority guidelines. In the United States, other factors are in the foreground: National security takes precedence over data protection concerns, meaning privacy gets put aside, or is diminished as a consideration. With this ruling, there are penalties in place that can be large for companies that breach the EU requirements and the case against Facebook 20 computing security Nov/Dec 2020 @CSMagAndAwards www.computingsecurity.co.uk
Data privacy today's legal reality. has been re-opened. The US has a strong national agenda; their economic interests and national security concerns don't necessarily align with EU data protection laws. The question now is how the US will respond. Will US companies be fined for violations of GDPR or could US intelligence agencies be restricted in their access to the personal data of European citizens? We should expect some debate; with national security, it is a two-way street. Data-driven business with high economic value is more biased to US interests. What are the implications for European enterprises? MF: Many will look at this and think, "There is nothing we can do". Most use tools provided by third parties from outside the enterprise and there is a high dependency on external contractors. In today's world, there is no going back from using office tools, databases, analytics tool, integrations…it is not only cloud service providers offering these, and the biggest players are in the US; in Europe, we have fewer data-driven businesses, and many promising EU based technologies and startups have been acquired in their infancy. If you remove those tools because US companies don't meet the required standards of GDPR, many EU companies can't function well. European enterprises are required to comply with all data protection laws, so they must identify any areas where they don't and take action. If they fail to do so, they risk getting dragged into a maelstrom of fines. The potential financial consequences of this ruling are huge. What can enterprises do, in concrete terms? MF: This ECJ ruling was effective immediately. So, it is important for enterprises to act now and mitigate the potential risks. European companies operating mainly in Europe already have a high standard to meet, namely the GDPR; they run into trouble when they employ the services of companies that don't comply. European enterprises need to divert the risks that suppliers can cause for them and require their compliance with any applicable EU data protection laws. Eventually, there will be a new agreement increasing the pressure on the US to change priority, but until then businesses must ensure their compliance with How has Cryptshare reacted to this? MF: Enterprises must comply the way they needed to before. For European companies operating in Europe, we already have a high standard, which we help companies to meet. Data is one of today's most valuable assets; entire business models are built on it. Therefore, it greatly matters where this data goes and what happens to it, once it is there. Enterprises need a product like Cryptshare to protect their data in transit, and make sure it remains safe between senders and its intended recipient, not falling victim to predators that include data-driven businesses, bad actors and governments both legitimate and malign. That is the essence of the ECJ ruling. Where can transatlantic data privacy agreements go from here? MF: Action is required from all parties; politicians must draft a new agreement between the EU and the USA that constitutes a sustainable and resilient basis for all future data transfers to the USA, and this must be done quickly. In order to stand up to the scrutiny of the ECJ, any agreement must ultimately meet the data protection requirements that EU standards demand. In the United States, other factors are clearly given priority, namely their economic interests and their intelligence agencies' wide-reaching powers to access personal data, regardless of its origin or location. They have so far shown little willingness to make concessions to European data protection laws, should they come at the expense of their national interests. It currently seems that it will be up to Europe to make its own demands for data protection and data privacy a reality, as the US seems unwilling to concede ground. To find out how enterprises can exchange sensitive messages and files in a secure, traceable and compliant way, go to: https://bit.ly/3mU8is1 www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security 21
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment TIME TO TAKE GDPR UP A GEAR
Page 5 and 6: Pragmatic and experienced risk mana
Page 7 and 8: editor's focus "Well trained staff
Page 9 and 10: health monitoring within the compan
Page 12 and 13: smishing SMISH, SMASH, BASH! A RELA
Page 14 and 15: smishing scams, while the Associati
Page 16 and 17: industry insights THE NEW ORDER IS
Page 18 and 19: mergers & acquisitions HITTING THE
Page 22 and 23: contact tracing WE HAVE CONTACT THE
Page 24 and 25: contact tracing smartphones in mind
Page 26 and 27: hacking surge HACKERS FOR HIRE HACK
Page 28 and 29: hacking surge Adrian Rowley, Gigamo
Page 30 and 31: threat intelligence APTS AND COVID-
Page 32 and 33: gender inequality TIME TO REBALANCE
Page 34 and 35: gender inequality equates to - and
Page 36: NEW Sensitive Data Discovery and Re

CS Nov-Dec 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?