In the US, we do not tend to think much about data privacy in the workplace. We generally default to a belief that our employer owns the network and devices, so it has the legal right to store, process (and view) the content that we create – even email messages. But those rules are not the same in many other areas of the world, particularly in the European Union. And many organizations with operations outside of the US may soon find themselves in the middle of a clash of cultures.
In the EU, personal data – which is broadly defined — is subject to the EU’s data privacy directive. Personal data cannot be processed or transferred outside the EU area, such as to the US, without an “adequate safeguard”. In practice, this means that everyday IT operations such as archiving, backup and even transfers between data storage devices (such as tiering) must have an “adequate safeguard” if data is moving from the EU to the US.
Most organizations in this situation have relied on a relatively straightforward Safe Harbor self-certification to meet the “adequate safeguard” requirement. But recent developments, including news of the NSA’s surveillance operations, have put the Safe Harbor at risk, with some calling for its repeal. In addition, German data protection authorities are already limiting the Safe Harbor exception. These developments may require many organizations to find a new safeguard from limited options: either Model Contracts or Binding Corporate Rules, both of which are more complex and difficult to implement in practice.
Of course, many organizations have long relied upon a third option — the unofficial “head in the sand” exception where transfers are made without any recognized safeguard in place. Generally speaking, enforcement of the data privacy directive has been sporadic. But even that may be changing, with proposed changes to the privacy directive enabling fines of up to 2% of global revenue for violators. That threat could force many “head in the sand” users into strict compliance.
For now, the Safe Harbor remains in place. With the recent activity, it’s probably a good idea to run an internal audit to confirm your organization’s compliance. As the EU becomes even more aggressive in this area, many organizations will need to strike a better balance between the lax privacy requirements of the US and an increasingly strong privacy regime in the EU.