Recently US organizations have come under fire for not adhering to Safe Harbor and recent court cases have put the future of Safe Harbor into question.
EU Citizens' Data Must Be Protected
In the years between 1998 and 2000--before the rise of cloud computing (Amazon Web Services launched 2002), before social media (Facebook was launched in 2004), when even Google was just a babe--the US Government worked with the European Union to create a set of "Safe Harbor" regulations covering the rights of individuals to online data privacy. Fast forward to 2015 and US organizations have come under fire for not adhering to Safe Harbor and recent court cases have put the future of Safe Harbor into question.
Back in the day the regulations were formed around 7 basic principles:
NOTICE: Orgnaizations have to clearly inform individuals about:
- The purposes for which it collects and uses information about them
- How to contact the organization with complaints
- The types of third parties to which it discloses the information
- The choices and means the organization offers individuals for limiting its use and disclosure.
CHOICE: An organization must offer individuals the opportunity to opt out of data collection and have full control over what an organization can do with their data, including who it can be revealed to.
ONWARD TRANSFER: It is totally OK to transfer individual's data, as long as whoever is receiving the data complies with the Safe Harbor principles
SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
DATA INTEGRITY: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used.
ACCESS: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate.
ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the Principles, including penalties for organizations that mishandle individuals' data.
Since these principles were established, the Federal Trade Commission in the US has managed a voluntary program for organizations wishing to self-certify themselves with the Safe Harbor principles. After an October 2015 court case alleging that the NSA (National Security Agency) of the US had improperly collected the private data of EU citizens, a new set of negotiations began with European privacy regulators and the "Safe Harbour 2.0" agreement seemed close to fruition.
Ipswitch's Alessandro Porro has these comments regarding the current best practices for organizations holding EU citizens' data: "Businesses should to start working immediately to audit their data sharing practices, including use of US cloud sharing services like Dropbox, so that they understand exactly where they stand and are ready to act when further guidance is issued."
Here are some more best practices to take the risk and pain out of your next security & compliance audit.