Why CISOs Should Care About Developments in the EU
By Peter Swire
Two recent developments in EU privacy should draw the attention and energy of chief information security officers (CISOs). The first is the new General Data Protection Regulation (GDPR), which takes effect in May 2018. Holly Dragoo’s NTSC blog post from January, “U.S. Businesses Need to Prepare Now to Align with EU Privacy Law,” highlighted key aspects of the GDPR.
This post highlights a second development—the possibility of major disruptions in flows of personal information from Europe to the U.S. from the pending Facebook Ireland case. Both developments will challenge how companies handle European data, especially if the data moves across borders. CISOs should prepare their companies with the technical capabilities to adapt to a rapidly changing legal environment.
General Data Protection Regulation
As a brief reminder about the importance of GDPR, the EU has stricter privacy rules for the private sector than the US. The roots of this go back to Europe's efforts to create a common market, including for the free flow of information. In the early 1990s, there was a dispute involving transfers of employee data from Fiat France to Fiat Italy. The French authorities were worried that Italy didn't have strict enough privacy protections. As the case developed the EU decided to create a system that had two features:
1. Free flow of data within the common market.
2. Mandatory privacy requirements that were relatively strict.
The European approach evolved into the Data Protection Directive, which was issued in 1995 and went into effect in 1998. That directive set forth the relatively strict privacy rules that companies have been complying with ever since.
In 2016, the EU finalized its next generation of commercial privacy rules in the GDPR. Some notable new provisions include:
1. Data Breach Requirements: Data breach requirements in Europe on a very fast 72-hour deadline for notification.
2. Right to be Forgotten: Companies beyond the original search engines will have to have procedures to take down data found to be irrelevant or disparaging about individuals.
3. Data Portability: Right to data portability so individuals can easily transfer their data out of a company's computer systems.
4. Broad Jurisdiction: EU jurisdiction applies broadly. The GDPR has a "long arm" provision that states that its rules apply to any companies selling to an EU citizen or with employees in the EU.
5. Large Fines: Massively increased fines. To date, fines in Europe have usually been lower than the cost of FTC consent decrees or plaintiff class actions in the United States. The GDPR authorizes fines up to 4 percent of global revenue for violations. No one knows what level the fines actually will be, but the potential fines certainly get top management's attention.
The Facebook Ireland Case and Transborder Data Flows
The second issue is a wild card. We don't know if there will be a major disruption in transatlantic data flows or, rather, no disruption at all. Under both the Data Protection Directive and the GDPR, there are strict rules about transferring personal data out of the EU to other countries. Such transfers are only permitted if there is "adequate" protection of personal data when the data gets to the receiving country.
These limits on transborder data flows make sense within the European system. The strict protections of personal privacy only work if the data is protected both at the time of collection and as it moves to other recipients.
In 2000, the EU and the US agreed to the Safe Harbor, under which multinational companies could transfer data from the EU to the US if the company complied with a list of privacy promises. In 2015, the European Court of Justice declared the Safe Harbor unconstitutional under European fundamental rights provisions. A central issue in the case was whether the NSA does so much surveillance of data once it gets to the US that the Europeans could not trust data flows to the US. The ECJ did not rule definitively on that issue. Instead, that issue is being litigated now in a follow up case whose trial was held in Dublin this winter.
The new case challenges "standard contract clauses," which are a principal way that multinational companies transfer data to the US and most other countries in the world. Under these clauses, the companies agree to come under the jurisdiction of one of the EU privacy agencies and promise in the contracts to follow EU-style privacy protections.
The trial in Dublin lasted five weeks and I was the lead witness on US law for Facebook, which was the company named in the suit. Based on my study of both US surveillance law and EU data protection law, I concluded that the protections against national security surveillance in the US were actually more protective than existed for EU member states.
The decision in that case is expected in May or June, with a possible appeal after that to the European Court of Justice. If the European courts follow some of the language in the 2015 Safe Harbor case, then we really might face a situation where transfers of personal data from the EU to the US are unlawful because of the European view that NSA surveillance is too expansive. On the other hand, if the courts agree with the view that I laid forth, then the data flows likely will not be disrupted.
Practical Measures for CISOs and Their Companies
As CISOs play an important role in their companies' overall information systems, both these developments are potentially very significant. Companies that have any business dealings with Europe today either are or should be getting ready for these substantial changes in European privacy rules. Along with my work as a professor at Georgia Tech, I am senior counsel to Alston & Bird. The firm, along with many other excellent law firms, is helping major companies come into compliance with the complex new GDPR regime. The data breach and other requirements are subject to enforcement in May 2018, so companies should get on a good path immediately to comply.
Concerning the Dublin case, at a minimum, CISOs should be aware that there is risk of major disruptions between European operations and those in the rest of the company. In terms of planning, executives designing a company's information infrastructure quite possibly should also begin to plan for the possibility of these disruptions. Some companies might decide that their limited operations in Europe are not worth continuing. Companies may also consider what measures will be required to segregate their European operations, at least when it comes to flows of personal data.
In conclusion, the GDPR is a guaranteed major change in European law applicable to any US-based companies that do business in Europe. The Ireland case could create even bigger challenges to those managing IT systems. If you are doing business in Europe, you should have a strategy for facing both developments.
Peter Swire is associate director of policy for the Institute for Information Security & Privacy at the Georgia Institute of Technology, the Nancy J. and Lawrence P. Huang Professor in the Scheller College of Business at Georgia Tech, and an internationally recognized expert in privacy law.