Weeks after the United Kingdom's vote to leave the European Union comes a welcome show of EU-U.S. solidarity: the...
passage of the EU-U.S. Privacy Shield.
Privacy Shield replaces Safe Harbor, the set of principles governing the transfer of Europeans' personal data that was overturned by the European Court of Justice last October because of concerns about U.S. government surveillance. The new data transfer regulations are in line with European data-protection laws.
CIOs should pay careful attention, not only because Privacy Shield's rules are more specific than Safe Harbor's, with stiffer penalties -- but also because enactment of the laws represents a significant expansion of the data landscape and underscores the importance of data governance as a critical navigation tool.
The new laws require company websites make clear how customers' data will be collected and used. Also, companies must delete personal data after it has served its initial stated purpose.
A new framework
Enza Iannopollo, a London-based analyst for Forrester Research, said U.S. companies that collected data from European customers under Safe Harbor, which had been in place for nearly 15 years, will see similar contours in the EU-U.S. Privacy Shield. For one, it's based on a set of data-protection principles: "Notice" lets customers know how their data is being gathered; "choice" gives customers the option to opt out of the collection process. What it's not is a how-to compliance guide.
"As a company, you decide the kind of compliance, the kinds of practices you put into place," Iannopollo said. "There is not a clear indication of, 'OK, you have to do A, B, C and D to comply."
It's also voluntary. U.S. companies need to self-certify -- they can start Aug. 1 -- by promising they have strictures in place to uphold the framework's principles. If they don't, they risk being banned from collecting data from EU customers. The Federal Trade Commission, under agreement with the EU, is in charge of enforcement.
Fitting the armor
Besides higher fines for violations and an easier path for European customers to sue U.S. companies, there's another, perhaps graver, implication: a loss of company reputation, and ultimately, business.
"Customers are looking more and more into this issue. Customers more and more make buying decisions on the basis of their perception of that company to protect their data," Iannopollo said. "The reputational impact is going to be enormous."
That means CIOs need to take action, she said. First, they need to understand what is required of companies signing on to the framework. And they should make sure those requirements are "translated to the organization in a way that they can understand."
Then CIOs need to make sure they're implementing the data-protection controls and technologies Privacy Shield's principles call for, Iannopollo said. They need to determine whether they have the business processes in place to fulfill the demands laid out in, say, its choice principle.
"And if the customer decides that they don't want to share data with you anymore, ask your organization about a way to actually separate and remove that data from the overall so you can get on with your big data initiative or your analytics initiative."
A joint exercise
Miriam Wugmeister, a privacy and data security lawyer at law firm Morrison & Foerster LLP, said if companies are going to wave privacy credentials such as those laid out in Privacy Shield, they need a "holistic" program that ensures that personal information is safe and secure in their data banks. And that requires collaboration.
"The data security folks, the CIOs and the chief privacy officers need to be joined at the hip," Wugmeister said. "Because what they're doing has to be seamlessly integrated so that the promises that you're making can actually be supported by the technical and administrative measures that the CIOs are putting in."
CIOs, she said, will also be instrumental in identifying the biggest risks. They need to communicate that to the business, help set the agenda and figure out what can and can't be done.
"I saw one company say, 'We're going to encrypt all data.'" Wugmeister said. "What does that mean? Data in transit? Data at rest? You can't encrypt all data all the time, because then you can't use it."
The EU-U.S. Privacy Shield isn't the only way for European companies to ship data. Model contract clauses provide another mechanism for data transfers, as do binding corporate rules. Companies need to run risk assessments and then determine which transfer route to go -- or even to not transfer data at all, Iannopollo said.
The important thing is to understand what each transfer option offers and what its implications are -- that's especially true of the Privacy Shield pact, she said.
"You cannot think to move data around regardless of the rules," Iannopollo said. "It's not an option anymore to think, 'Yeah, I can do without following the rules.'"
CIO news roundup for week of July 18
Press outlets covered the EU-U.S. Privacy Shield this week -- here's what else they reported:
- Are you ready for digital business? A recent Gartner survey of 948 IT professionals worldwide found that 59% believe their organizations are not ready for the digital business changes coming in the next two years. "IT professionals indicate that their investment priorities, infrastructure changes, skills development and business-IT interactions are in flux, and that they are unsure how their IT organization will make it through any digital transformation," analyst John Hagerty said in a statement. But 91% of respondents firmly believe they will play a role in their company's digital transformation. The survey results also indicate that cloud computing, data and analytics, security and mobility are the technologies that will have the biggest effect on IT professionals' jobs and careers in the next 18 months. Respondents identified cloud and data and analytics as the top tech skills gaps they were trying to fill.
- Investing in the smart future. Japanese tech giant and Sprint owner SoftBank said Monday that it is acquiring U.K.-based chip designer ARM for $31 billion in a post-Brexit cash deal. The majority of smartphones and tablets, as well as other smart devices that range from self-learning thermostats to self-driving cars, use ARM technology. "ARM will be an excellent strategic fit within the SoftBank group as we invest to capture the very significant opportunities provided by the internet of things," Masayoshi Son, founder and CEO of SoftBank, said in a statement. The deal will also help SoftBank focus on artificial intelligence, The Verge reported. Meanwhile, Reuters reported on Thursday that SoftBank is teaming up with Honda to look into the possibility of building cars that can communicate with drivers and gauge their emotions.
- Biggest tech acquisition in history nears close. EMC said Tuesday that 98% of its voting shareholders cast their votes in favor of its merger with Dell, a deal worth more than $60 billion. "Today's resoundingly favorable shareholder vote clearly supports our view that combining Dell and EMC will create a powerhouse in the technology industry," EMC CEO Joe Tucci said in a statement. Because of a slide in VMware shares, the value of the acquisition has dropped to $62 billion from $67 billion. The buyout that was announced last October is set to close by end of this year, subject to regulatory approval from China and the completion of merger paperwork.
- The future of the internet takes flight. Facebook's internet drone Aquila, first announced a year ago, successfully completed its first full-scale test flight, the company said Thursday. The battery-powered aircraft, which took off from an airfield in Yuma, Ariz., on June 28, has a wingspan of 141 feet and weighs approximately 900 pounds, The Verge reported. Once fully operational, these high-altitude, unmanned aircrafts will be solar-powered and stay airborne for up to three months at a time. They will "beam broadband coverage to a 60-mile-wide area on the ground, helping to open the opportunities of the internet to people in under-connected regions," the company said in a blog post that details findings from the test flight.
Assistant editor Mekhala Roy contributed to this week's news roundup.
EU-U.S. Privacy Shield puts data privacy in spotlight
'Imperfect, incomplete' Privacy Shield
U.K. won't 'Brexit' EU's data protection rules