The webinar covers:
• What is Safe Harbour, and how companies were relied on it
• How the end of it will affect US firms
• What will happen next
• How companies will react
• The implications of this act
• What is the solution to this
Presenter:
This session was hosted by Mr. Graeme Parker, Managing Director of Parker Solutions Group, a PECB representative in UK. Mr. Parker has more than 20 years of experience in information security, and data privacy, and was also involved with many companies that were relied on Safe Harbour.
Link of the recorded session published on YouTube: https://youtu.be/cbPUTVtxem0
2. 2
The End of Safe Harbour
Today’s Webinar
a. What is/was Safe Harbour?
b. Why it mattered?
c. What are the alternatives?
d. What next?
3. 3
What is/was Safe Harbour?
Context
Safe Harbour was introduced as a self certification
process for US based organization to demonstrate their
compliance to EU Data Protection Regulations.
Before we discuss this however we need to set some
context as to why this scheme was introduced.
To do this we need to quickly look at the history and the
EU Privacy Legislation.
5. 5
Privacy Legislation – EU - Directive
95/46/EC
Data Protection Directive
Developed from the OECD Principles Governing the
Protection of Privacy and Trans-Border Flows of
Personal Data (1980).
Considers the Human Rights Principle of respect for
ones private and family life.
Is enacted across the EU in data protection acts which
have 8 key principles at their heart.
Concerned with the collection and processing of PII.
6. 6
Privacy Legislation – EU - Directive
95/46/EC
The Eight Data Protection Principles are:
Personal data shall be processed fairly and lawfully
Personal data shall be obtained only for one or more specified lawful
purposes
Personal data shall be relevant, adequate and not excessive for the
purpose
Personal data shall be accurate and where necessary kept up to
date
Personal data shall not be kept for longer than is necessary for the
purpose
Appropriate technical and organizational measures shall be
implemented
Personal Data shall not be transferred outside the EEA unless
equivalent protection is in place.
8. 8
But the US does have Privacy Legislation
There are many acts with privacy implications in the USA
such as:
Fair Credit Reporting Act (FCRA)
Fair and Accurate Credit Transactions Act (FACTA)
Health Insurance Portability and Accountability Act
(HIPPA)
Gramm-Leach-Bliley Act
Children's Online Privacy Protection Act 1998(COPPA)
Drivers Privacy Protection Act
These deal with many specifics but none are an overall approach.
9. 9
Safe Harbour
There are two safe harbour agreements
US-EU
US Switzerland
US organizations can apply the controls and self certify.
The scheme is managed by the Federal Trade Commission and
applies to organizations subject to the jurisdiction of the Federal
Trade Commission (FTC) or U.S. air carriers and ticket agents
subject to the jurisdiction of the Department of Transportation (DOT)
may participate in the Safe Harbour.
The programme is self regulating, the FTC can step in if it is deemed
that an organization is potentially guilty of misrepresentation.
The Safe Harbour agreement has 7 principles.
10. 10
7 Safe Harbour Principles
The 7 principles are similar to the EU Principles:
Notice: People must be advised about the use of their data.
Choice: People must have the option to “opt out” or in the case of sensitive
data “opt in”.
Onward Transfer: Must fall inline with notice and choice principles and the
third party must be inline with Safe Harbour or “have adequate controls
related to privacy in place”.
Access: Individuals have the right to access and correct data about them.
Security: Organizations must take steps to ensure the security of the
personal data.
Data Integrity: Personal data must be relevant accurate and up to date.
Enforcement: Mechanisms to investigate and address complaints must be
in place.
11. 11
The ruling
On the 6th of October 2015 the European Court of Justice ruled that the existing Safe
Harbour agreement was invalid. The decision was based on a case brought by
Austrian Max Schrems that involved data transfers from Ireland to the US by
Facebook.
Max Schrems a Facebook users since 2008 approached the Irish Information
Commissioner after the Snowden revelations in 2013 to express concern about the
privacy of his personal data when it was transferred to the US. The Irish Information
Commissioner rejected his concerns based on the fact that the European
Commission had determined Safe Harbour to be adequate.
The case highlighted that Information Commissioners (supervisory authorities) have
the right to challenge the “adequacy” decision made by the European Commission.
The European Commission looked only at Safe Harbour and not the national law of
the USA when making an “adequacy” decision. A flawed decision as Safe Harbour
does not apply to USA government agencies.
See the note at the end of the ruling, it is down to the Irish Information Commissioner
to make a judgement.
12. 12
Who does this apply to?
Many organizations may argue that they do not transfer data to the USA.
Actually any organization engaged in Outsourcing data processing of personal
data or using cloud services need to investigate this.
Examples of where data processing of personal data may become relevant
here is:
Use of cloud services to store or process data
Payroll services
CRM and sales systems
HR systems
Document storage solutions
Email and messaging services
Application services
Database services
13. 13
What are the Alternatives
Solution Description
EU Model Contract Clauses
These are rules embedded in contract between
the company and the US based service provider.
This can be applied even in the same
organization.
Will rely on the involvement of legal counsel and
ongoing monitoring as things develop.
Binding Corporate Rules
For internal overseas transfers, formal rules can
be agreed. However to be valid these will need
some agreement with EU regulators.
Review and Implementation of a Privacy
Framework
In order to really ensure risk is being managed
organizations transferring EU citizen data to the
USA (or indeed any other country not deemed as
“adequate”) will need to also implement strict
control and demonstrate the management of
such controls.
14. 14
Next Steps
The immediate response for effected organizations are:
Work to Implement an effective framework
Consider the ISO 29100 Framework?
Address Contractual Issues or Seek Alternatives
Work with suppliers, can you implement EU Model Contract Clauses or seek
alternatives?
Review and Risk Assessment
Assess organizational data flows (does personal data leave the EU?) identify
the associated risks
15. 15
ISO 29100
Specifies high level framework
for protecting Personally
Identifiable Information.
Clause written using the verb
“should”.
Broken into 5 sections covering
terminology, framework
elements, and privacy
principles.
Organization cannot obtain
certification against this
standard.
16. 16
Choose a Methodological Framework to Manage
the Privacy framework Implementation Project
4. Act
4.1 Treatment of
problems
4.2 Continual
Improvement
3. Check
3.1 Monitoring,
Measurement,
Analysis and
Evaluation
3.2 Internal Audit
3.3 Management
Review
2. Do
2.2 Document
Management
2.3 Design of
Controls &
Procedures
2.5 Awareness &
Training
2.8 Operations
Management
2.7 Incident
Management
2.4 Communication
2.1 Organizational
Structure
2.6 Implementation
of Controls
1. Plan
1.2 Understanding
the organization
1.3 Analyze the
existing System
1.5 Scope
1.6 Privacy Policy
1.1 Initiating the
framework
1.4 Leadership and
Project Approval
1.8 Controls
____Statement
1.7 Risk Assessment
17. 17
Definition of Privacy
What is Privacy?
There are many different views depending on location and
culture but in general there are four points:
• Privacy of personal information
• Privacy of the person
• Privacy of personal behaviour
• Privacy of personal communication
18. 18
Definition of Privacy Framework
ISO 29100
The Privacy framework proposed by ISO 29100 states:
The privacy framework is intended to help organizations define their privacy safeguarding
requirements related to PII within an ICT environment by:
• Specifying a common privacy terminology;
• Defining the actors and their roles in processing PII;
• Describing privacy safeguarding requirements; and
• Referencing known privacy principles.
Note: An effective working framework consists of
policies, procedures, guidelines, and
associated resources and activities
19. 19
Linkage Between ISO 29100 and
ISO 27001
ISO 29100 and ISO 27001 Concepts
ISO/IEC 29100 concepts Correspondence with ISO/IEC 27001 concepts
Privacy Stakeholder Stakeholder
PII Information Asset
Privacy Breach Information Security Incident
Privacy Control Control
Privacy Risk Risk
Privacy Risk Management Risk Management
Privacy Safeguarding Requirements Control Objectives
20. 20
Generally Accepted Privacy Principles
The Generally Accepted Privacy Principles (GAPP)
were developed in 2009 by the American Institute of
CPAs and the Canadian Institute of Chartered
Accountants (CICA) in order to present an approach
for a privacy framework.
This course uses the principles of GAPP and ISO
29100 to build a comprehensive privacy framework.
21. 21
Generally accepted
privacy principles
Canadian Institute of
Chartered Accounts
ISO 29100
ISO 29100
An implementation can consist of good practices from a number of sources:
Comission Nationale de
l’Informatique et des Libertes
22. 22
What else could be coming?
Other developments?
There could be more as things develop:
• The new EU Data Protection directive is in development
• Proposals for a Safe Harbour 2.0
• Transatlantic Trade and Investment Partnership (TTIP)
• More recognition of ISO 27018 for the Cloud Industry?
• International recognition of privacy means this becomes
a global harmonization challenge not just an EU/US
issue