Authorities in Brussels are still hashing out the details, but it’s quite apparent that EU data privacy laws are about to get some serious teeth. Whatever they ultimately declare, Peak 10’s commitment to compliance with Safe Harbor principles and protecting customers from the EU’s bite is unwavering. We’re ready for whatever comes our way.
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data. Intended for organizations within the US that store customer data from the EU, the seven Safe Harbor Principles are designed to prevent accidental information disclosure or loss. Financial penalties for failure to comply have been perfunctory up to this point, with damage to one’s reputation for being fast and loose with personal data being the primary consequence.
All that is about to change. Before the end of 2014 fines for non-compliance fines will be set at up to 5 percent of global annual turnover (annual revenue), or up to €100m (approximately $170M). That should get the attention of the boardroom, as is its intent. There are four additional changes, too, having to do with:
- Liability (it belongs to the owner of the data)
- Breach notification (confusingly prescribed as “without undue delay”)
- “Explicit” consent to collect personal data for a specific purpose, as well proactively telling customers they have “the right to be forgotten”
- Appointment of a data protection officer in organizations with more than 5,000 customers
For companies that have taken EU data privacy rules seriously, they’re already well positioned to handle the updated law, but still at a cost. For those who haven’t, they are in a precarious place right now.
“From our perspective, the EU is taking privacy even more seriously; there are no shortcuts when it comes to compliance,” said David Kidd, Peak 10 director of quality and compliance. “The updated regulations will only add to the burden of our customers who are subject to the EU data protection laws, especially when it comes to communications with their customers, explicit consent and other requirements. It is our job to relieve as much of that burden as possible by providing storage and cloud infrastructures they can confidently rely on. We do that very well.”
The record for Safe Harbor compliance at both U.S. companies and cloud service providers has been, to put it politely, less than perfect. For an EU business or organization looking to engage a US cloud-storage provider, we offer the same advice we give to US customers seeking secure, compliant storage providers: believe only what can be proved.
In a recent report from Forrester Research, Inc. (Q&A: EU Privacy Regulations, March 12, 2014), this leading industry analyst and consulting firm offered recommendations to EU companies when assessing US companies; the same would apply for U.S.-based cloud service providers:
- Ask the provider to supply proof of compliance assessment, including documents that detail what provisions it implements to satisfy each of the seven principles.
- Assessments are required annually, so ask the providers for ongoing compliance proof during your contract period.
- Check to see if the provider’s privacy policies are published.
- Determine if the provider has notified the US Department of Commerce of self-certification.
Beyond that, affected firms ought to look closely at the cloud storage provider’s overall security and compliance posture. A provider that submits to annual independent auditing under the SSAE 16 , ISAE 3402 and AT-101 audit standards is a clear indicator that its cloud storage environment is safe and secure. Additionally, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA/HITECH), demonstrates a clear commitment to serving customers who are subject to strict security standards for data privacy, handling and protection.