We’ve been following the story of Facebook’s run-in with data privacy regulators in Ireland over the social media giant’s cross-border data transfers which the data protection commissioner there says are illegal. There has always been conflict between the U.S. and EU over the handling and protection of private data, owing to the fundamentally different views on the matter. Personal data privacy is treated as a fundamental human right in Europe, whereas in the U.S. personally identifiable information (PII) is thought of more as an economic asset. In America there are fifty different views of how much protection is required when PII is entrusted to an organization, and in Europe the omnibus General Data Protection Regulation (GDPR) sets the standard and mandates stiff penalties for non-compliance.
Angels on the Head of a Pin
Whether the Europeans are right or whether we are is a matter of debate along the lines of how many angels might dance upon the head of a pin. What matters is that, if you are a U.S. company seeking to do business in Europe, you’ve got to conform to European law, even if you disagree with European law. That would seem obvious, but there are currently diplomats working hard at coming up with a treaty that reconciles the differences and sets rules for things like cross-border data transfers.
Which brings us back to Facebook vs. Ireland.
I won’t guess as to the reason why Facebook maintained data transfer practices that ultimately landed them in hot water with Ireland. Was it a matter of hubris or a genuine reflection of the confusion that exists? The Irish data privacy authority (DPA) will sort that out. Either way, it’s interesting to see data transfer causing an intercontinental stir.
Most organizations recognize that it’s important to handle data with care, even if they don’t regard data transfer as an issue of global magnitude. You might not have to worry about sending data overseas, but even if the only borders your data transfers have to navigate are across state or county lines, If you’ve been entrusted with someone else’s data, you’ve got a responsibility to protect it, and to keep it safe when you share it with others for legitimate business reasons. Data transfer doesn’t have to be Facebook vs. Ireland big to be big to your organization.
There’s a lot of confusion on this issue because, as individuals, we’re used to the idea that data transfer is a simple matter of attaching a file to an email, or dragging and dropping a folder from your computer to your Dropbox account. But sending PII, financial, medical, and other sensitive data is not the same as sending a selfie to your bestie, and it’s not the way data transfers should happen for a lot of common transactions. It’s not practical, it’s not safe, and it’s probably not legal.
For example, some of our customers are major healthcare organizations. Every day they have to send a lot of protected health information (PHI) to various organizations, including insurance providers, state and federal agencies, other healthcare providers, and companies that provide supporting services. These are often large files that are time sensitive. Whether the batches are large or small, it’s important that they get where they are supposed to go. Any delay might delay a service or diagnosis. Some files might even need to go overseas, and all of them are regulated by the Health Insurance Portability and Accountability Act (HIPAA).
Possible, Probable, Practical
Is it possible that someone in the hospital’s administrative staff could handle sending all that information where it needs to go, when it needs to go, and in accordance with the law? It’s possible, but it’s not probable, nor is it practical. Healthcare is a high-pressure environment. People work long hours and there is little room for error. An errant email, a missed deadline, or an overlooked file is all it takes for a violation to occur. Then there’s the necessity of maintaining meticulous records of every transfer in case there’s an audit–and there will be when the inevitable error occurs.
Instead, why not automate the process? That way, everyone in the healthcare service chain has confidence that files will be batched and delivered where and when needed, encrypted, and in compliance with whatever law is applicable. That’s what Coviant Software’s Diplomat MFT does for healthcare, financial services, legal, industrial, governmental, retailers, and other enterprises handling sensitive data every day. Millions of files daily, sent securely, reliably, and automatically through Diplomat MFT.
If that sounds better to you than explaining to the Irish DPA–or your state’s attorney general–why you didn’t follow the rules, we’d be happy to give you a demonstration, or you can take Diplomat MFT for a free test drive if you prefer.