In a global economy, the seemingly frictionless act doing business across continents with just a few clicks and keystrokes belies a highly complex and contentious gauntlet of laws dictating how data can move from one jurisdiction to another. And when the direction of that data is from the U.S. to the European Union, the issue gets sticky. This fact was made evident in a recent National Law Review article updating the ongoing trade negotiations related to the transfer of personal data in the wake of the Schrems II decision.
Before I go any further, I want to make it clear that I am an engineer, not a lawyer, so what follows should not be taken as legal advice. That’s a disclaimer akin to a garment tag that reads “remove child before washing.” But I am an engineer whose company makes and sells software that moves data securely between business partners, and so this particular issue is of interest to me and my company.
There’s tension between the U.S and EU when it comes to the protection of personally identifiable information (PII). European law recognizes data privacy as a fundamental human right, while in the U.S. PII is treated more or less as a commodity. As such, whenever companies here want to deal with data from over there, the differences come into conflict. We have our privacy and data protection regulations and they have theirs, but the European data privacy authorities (DPAs) don’t trust us to follow their rules, and that is what Schrems II is really all about, as this line from the article makes clear:
European courts held that “U.S. national security powers and programs conflict with the fundamental rights of people in the EU (in part due to overly broad data collection) and do not provide adequate remedies for EU persons who suspect their fundamental rights have been violated.”
The confusion that results often leads to problems if organizations aren’t careful to understand and follow the rules. Sometimes those problems involve big companies and attract a lot of attention, like what is going on between Ireland and Facebook (which we recently wrote about). It seems the easiest way address this issue is to pick the most stringent set of rules that apply and establish a data security and management program that satisfies them—an Occam’s Razor approach. That’s what the engineer in me thinks, anyway. The non-lawyer in me wonders if it’s really that simple since violations keep happening. Or maybe it’s just that change is hard and people are stubborn.
Three Steps to Compliance
The National Law Review article says that, rather than impose an outright prohibition on U.S.-EU data transfers (which would likely have harsh economic repercussions), the European Data Protection Board instead “imposes a very high burden on transferors and recipients of EU personal data.” Which, if you think about it, should be obvious, and yet data breaches resulting from poor data management and security practices remain common events in even routine business practices.
To help organizations understand what it takes to continue to engage transactions that require cross-border data transfer, the article suggests three things:
- Know what data you have and what security and privacy rules apply, and be able to demonstrate compliance;
- Establish processes that satisfy GDPR requirements for security and privacy protections, and be able to demonstrate compliance; and,
- Ensure there are no issues in play in any jurisdiction through which your data passes that would undermine the protections guaranteed by GDPR.
Of note, the article addresses the issue of data encryption, saying “EDPB guidelines, taken as a whole, are likely to make encryption a virtually mandatory standard tool for safeguarding EU personal data.” Apparently, there may be instances when authorities would want access to information crossing their borders, but our view is that all commercial data transfers should be encrypted by default.
Compliance Should be Easy
As complex as the legal environment is, at Coviant Software we’re doing our part to make it simple to adopt the means of compliance with all the domestic and international laws that apply to secure data transfers, whether or not the files involve cross any borders. Compliance shouldn’t be a chore, and that’s why Diplomat MFT is simple to use, is fully automated, encrypts files by default, and documents each step of the process to ensure organizations can demonstrate compliance when audited. And we offer our products at a value and level of performance that fits, no matter the size of your organization.
To navigate the legal requirements of alphabet soup regulations like GDPR, HIPAA, SOX, GLBA, PCI DSS, and the rest, hire a good lawyer who can help you understand your obligations. To navigate the technical requirements for secure, managed file transfer that supports a data privacy and security compliance program, use tools that are engineered to make it easy to follow your lawyer’s advice. For a free demonstration of Diplomat MFT, fill out the form at the bottom of this page.
# # #