The flow of data between the United States and the EU may be at risk as tensions are rising around Privacy Shield. If you haven’t been living under a rock for the last two years, you will likely have heard of the GDPR – the EU data protection regulation that now fiercely protects EU citizen data, whether in the hands of a non-EU or EU-based organisation. You may have wondered, then, how companies in places like the US are still able to legally hold and process EU data without falling foul of the GDPR, and the answer is Privacy Shield. Privacy Shield is a framework that allows companies on both sides of the Atlantic to transfer data while complying with the GDPR. However, this may all soon change, with Members of the European Parliament calling for Privacy Shield to be brought up to scratch or invalidated.
It seems that everyone in the cyber security sphere is talking about ransomware these days. Last year, attacks such as WannaCry, NotPetya and BadRabbit took the business world by storm, costing billions in damages. Ransomware is by no means a new threat (it has been around since at least 2005), but it is one of the fastest growing and most costly. Cyber crime is constantly changing, and criminals keep creating news ways to steal money. Ransomware has gotten increasingly sophisticated since 2005, but the people using and deploying it haven’t necessarily – now some cyber criminals are making more money selling high-tech ransomware strains to non-technical criminals than if they were to conduct the attacks themselves. The result is that more and more ‘hackers’ have access to ransomware and need very little technical know-how to operate it, leading to more and more ransomware attacks each year. It may come as a surprise, then, to hear that the FBI received less reports of ransomware attacks in 2017 than in 2016 and 2015, despite the increase in attacks.
The FBI reported just 1,783 reports of ransomware attacks in 2017, compared to 2,673 in 2016 and 2,453 in 2015.
Data transfer between the EU and US had come under fire in the Irish courts, due to a dispute in the clause Facebook Ireland uses to send data back to its international parent, Facebook US. EU data protection and privacy laws are among the strongest in the world, and as such, any data pertaining to EU citizens cannot be transferred outside Europe without strong assurances in place that the data will be processed under EU-compliant terms. While the US data protection laws are considered inadequate for European data, many international tech companies circumvent this using a model known as “standard contractual clauses”, whereby the parent company (Facebook US, in this example) enters into a contract with their EU subsidiary (Facebook Ireland) which pledges to meet the EU’s strict rules. Ireland is home to the European headquarters of 9 out of 10 of the of the world’s largest social media companies, and standard contractual clauses have been considered legally acceptable by the EU since 2001.
Ireland is home to 9/10 of the world’s largest social media companies (including Facebook), making it a crucial link between EU and US regulations.
With the EU General Data Protection Regulation (GDPR) only 8 months away from coming into force, surveys are showing that many businesses across the UK and Ireland are still confused about exactly what the regulation means for them, and may be unprepared for GDPR. A survey conducted of over 1000 IT decision makers revealed that 64% were unaware that customers’ birth dates are considered personally identifiable information (PII), which is especially worrying as any mishandling of such data could constitute a breach of the GDPR and result in fines of up to €20 million. 42% did not realise that email marketing databases contained PII, 32% did not consider physical addresses to be and 21% did not even consider customer email addresses to be PII. In contrast, 85% of these survey respondents reported that they have reviewed the GDPR requirement thoroughly and 79% believe they have done everything they need to do to secure their data. This disparity marks a worrying trend for businesses, big or small.
The GDPR comes into full effect on the 25th of May 2018 – and no one wants to be made an example of
With the GDPR now less than 8 months away from becoming enforceable, businesses all over the EU and indeed any company that conducts business with EU citizens are scrambling to prepare in time for the legislation. The upcoming General Data Protection Regulation was designed to give back clarity and control to users about how their sensitive data is being processed and held, but has led to quite a bit of confusion for businesses about how this will actually work. Most people will have heard about the increased fines, as regulators can now fines offending bodies up to €20 million or 4% of global turnover, but there is a lot of confusion and indeed misinformation and misinterpretation out there to make the process even more difficult. To this end, there’s a few things we’d like to set the record straight on, particular around consent. Over the coming weeks and months we hope to provide more guidance of areas prone to misinterpretation, so stay tuned!
Myth: You must always have consent to process someone personal data.