On April 14, 2016, the EU Parliament passed the long-awaited new EU rules for personal data protection (GDPR). Everyone who holds or processes data on individuals in the 28 countries of the EU has until Star Wars Day 2018 (May 4) to comply.
The top 10 provisions of the regulation are:
It is a global law. No matter where you are in the world, if you have data on individuals in the EU and lose it, you are responsible and can be fined. As an example, if you have a web site and a European comes on and enters their contact information, you have to conform.
Increased fines. Up to 4% of global turnover or €20,000,000 (US$22M)
Opt-in regulations. Users must give clear consent to opt-in to their data being collected and you must only use it for the purpose defined. No opting out, no hidden terms, no selling/giving data to other people.
Breach notification. If you lose data, you have 72 hours to tell the authorities.
Joint liability. If multiple companies process the data, they are all liable if data is lost, so if you hold data YOU are responsible if data gets lost via a risky cloud service.
Users can demand their data back, that it is updated and deleted. If you hold data, you need to work out how to achieve those.
Removes ambiguity. One law across all 28 countries of the EU.
Common enforcement. The authorities are expected to enforce consistently across all the countries, the good news is data holders only need to deal with one authority.
Collective redress. Users can sue together if data is lost in class action lawsuits.
Data transfer. Data transfer from the EU is allowed, but subject to strict conditions.
If you work for a company collecting data, you are responsible for the security of that data no matter where it gets processed. It’s more important than ever that you know the shadow IT services that employees may be using, as they could be the conduit for data loss and your organisation will be liable.
There’s some good news for IT in the regulation – the new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default. So capabilities such as encrypting data before it is uploaded to the cloud, especially when harnessed with keeping the keys on premises, can reduce your liabilities.
This is good news for EU citizens, as they will have strong and clear rights over their personal data, its collection, processing and security.
Some organizations have in the past treated personal data as a cheap commodity but this regulation clearly shows how valuable data really is and demands that they treat it with great respect.
We should all put a value on data about ourselves and our families and embrace this legislation because the outcome is that all of our data will be safer.
In a 58-page opinion published April 13, 2016, the influential European Union Article 29 Working Party (WP29), which includes representatives of the data protection authorities of the 28 EU Member States, expressed significant concerns with respect to the terms of the proposed EU-US Privacy Shield that is intended to replace the EU-US Safe Harbor.
The WP29 made numerous critiques to the proposed EU-US Privacy Shield framework. Some of which include, for example, the lack of consistency between the principles set forth in the Privacy Shield documents and the fundamental EU Data Protection principles outlined in the 1995 EU Data Protection Directive, the proposed EU General Data Protection Regulation, and related documents.
The WP29 group also requested clearer restrictions for the onward transfer of personal information that occurs after personal data of EU residents is transferred to the US. The WP29 is especially concerned with the subsequent transfer of data to a third country, outside the United States. In addition, the WP29 continues to be concerned about the effect, scope, and effectiveness of the measures proposed to address activities of law enforcement and intelligence agencies, often described as a “massive collection” of data.
Background On Feb. 29, 2016, the European Commission and U.S. Department of Commerce published a series of documents intended to constitute a new framework for transatlantic exchanges of personal data for commercial purposes, to be named the EU-U.S. Privacy Shield. The Privacy Shield would replace the EU-US Safe Harbor, which was invalidated by the Court of Justice of the European Union (CJEU) in October 2015, in the Schrems case.
Since the publication of the draft Privacy Shield documents, the WP29 members have convened in a series of meetings over the course of the past six-weeks in order to evaluate these documents and come up with a common position.
The results of this 6-week evaluation were expressed in an opinion entitled: “Opinion 01/2106 on the EU-US Privacy Shield Draft Adequacy Decision – WP 238,” published on April 13, 2016. The 58-page document, which is well-drafted and thoughtful, contains numerous positive comments about the efforts of the EU and US in trying to design a framework that would adhere to the two-page guidance published at the end of January, which outlined the key aspects of the proposed cross-Atlantic framework.
The document also expressed a wide variety of concerns with respect to the proposed EU-US Privacy Shield. The WP29 group was concerned by: (i) the commercial provisions (which address issues similar to those addressed in the Safe Harbor principles); (ii) the surveillance aspects (specifically, the possible derogations to the principles of the Privacy Shield for national security, law enforcement, and public interests purposes); as well as, (iii) the proposed joint review mechanism.
Commercial Aspects Consistency with Data Protection Principles The WP29 indicated in its Opinion that its key objective is to make sure that the Privacy Shield would offer an equivalent level of protection for individuals when personal data is processed. The WP29 believes that some key EU data protection principles are not reflected in the draft documents, or have been inadequately substituted by alternative notions.
While it does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework, the WP29 stressed that the Privacy Shield should contain the substance of the fundamental principles in effect in the European Union, so that it can ensure an “essentially equivalent” level of protection. To this point, WP29 explains that the data retention principle is not expressly mentioned and there is no wording on the protection that should be afforded against automated individual decisions based solely on automated processing. The application of the purpose limitation principle to data processing is also unclear.
Onward Transfers
The WP29 paid special attention to onward transfers, an issue that was key to the Safe Harbor decision. It believes that the Privacy Shield provisions addressing onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose, and the guarantees applying to transfers to Agents.
The WP29 noted that since the Privacy Shield would be used to address onward transfers from a Privacy Shield entity located in the US to third country recipients, it should provide the same level of protection on all aspects of the Shield, including national security. In case of an onward transfer to a third country, every Privacy Shield organization should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer before making the transfer.
Recourse Mechanisms
Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism may prove to be too complex in practice and difficult to use for EU individuals, and therefore, ineffective. Further clarification of the various recourse procedures is therefore stressed; in particular, where they are willing, the WP29 suggests that EU data protection authorities could be considered as a natural contact point for EU individuals involved in these complex redress procedures, and could have the option to act on their behalf.
National Security Derogations for National Security Purposes
The WP29 observed that the draft EU Commission Adequacy Decision extensively addresses the possible access to data processed under the Privacy Shield for purposes of national security and law enforcement. It also notes that the US Administration, in Annex VI of the documents, also provides for increased transparency on the legislation applicable to intelligence data collection.
Massive Collection Regarding the massive collection of information, the WP29 notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. This brings concerns for the protection of the fundamental rights to privacy and data protection. The WP29 pointed to other resources for clarification on this point, such as the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.
Redress Concerning redress, the WP29 welcomes the establishment of an Ombudsperson as a new redress mechanism. Concurrently, it expressed its concern that this new institution might not be sufficiently independent, might not be vested with adequate powers to effectively exercise its duty, and does not guarantee a satisfactory remedy in case of disagreement.
Annual Joint Review
Regarding the proposed Annual Joint Review mechanism mentioned in the Privacy Shield framework, the WP29 noted that the Joint Review is a key factor to the credibility of the Privacy Shield. It points out, however, that the specific modalities for operations, such as the resulting report, its publicity, and the possible consequences, as well as the financing, need to be agreed upon well in advance of the first review.
Drafting Deficiencies Consistency with the General Data Protection Regulation The WP29 notes that the Privacy Shield needs to be consistent with the EU data protection legal framework, in both scope and terminology. It suggests that a review should be undertaken shortly after the entry into application of the General Data Protection Regulation (GDPR), to ensure that the higher level of data protection offered by the GDPR is followed in the adequacy decision and its annexes.
Structure and Content
Regarding the structure and content of the documents, the WP29 noted that the complexity of the structure of the documents that constitute the Privacy Shield make the documents difficult to understand. They are also concerned that the lack of clarity in the new framework might cause it to be difficult to comprehend by data subjects, organizations, and even data protection authorities. In addition, they note occasional inconsistencies within the 110 pages that form the current draft of the Privacy Shield framework. The WP29 urges the Commission to make the documents more clear and understandable for both sides of the Atlantic.
Conclusion
In its 58-page opinion, the WP29 made great efforts to point to the improvements brought by the Privacy Shield compared to the Safe Harbor decision. However, overall, the evaluation of the 110-page proposed Privacy Shield framework is generally negative. The WP29 appears to doubt that the protection that would be offered under the Privacy Shield would be equivalent to that of the EU. The extent to which the EU Commission will be able to address these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the proposed documents remains to be seen.
Six months after the CJEU invalidated the EU Commission decision that had created the EU-US Safe Harbor, it seems that cross-Atlantic data transfers are still in limbo. There is still no simple, business friendly solution to addressing the stringent prohibition against cross border data transfers between EU/EEA entities and US based companies. The viability of the Privacy Shield remains in question. With the negative opinion issued by the WP29, a very influential body of the European Union, it is uncertain whether and when a stable and final draft will be completed. Assuming such framework may reach a form that is satisfactory to both sides, it would then need to be implemented. At a minimum, a new infrastructure, a website, and additional personnel will also be needed to make it operational—these are all things that take even more time.
In the meantime, US companies that built their operations and business models around the simple and easy to use EU-US Safe Harbor should review the legality of their cross border data transfers with their counsel. With no light at the end of the tunnel, it is urgent that they evaluate and implement means to address the stringent restriction against cross border data transfers in effect in the European Union and European Economic Area, and that they understand and address the needs of their counterparts in the EU/EEA region in order to minimize the risk of enforcement action against the European entities.
Françoise Gilbert,Global Privacy and Cybersecurity Attorney, Greenberg Traurig
Three-day course to be held in conjunction with Cloud Security Summit 2016
The Cloud Security Alliance (CSA) is pleased to announce that it will host its CCSK Train the Trainer course in Milan (May 17 and 18-19) at the ITWAY Academy as part of the Cloud Security Summit 2016. Conducted by recognized international CCSK trainer Moshe Ferber, the three-day course series is designed to provide comprehensive training for those partners and professionals interested in becoming certified to teach CSA’s Certificate of Cloud Security Knowledge (CCSK) course. Participants will be able to take either the full course series, which includes the CCSK Basic, CCKPlus and Train the Trainer classes, or just those classes they need to fulfill their certification requirements.
Since the CSA first released the CCSK in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skillsets and enhance their careers by obtaining CCSK certification. The course has become an integral part of training for those IT professionals looking to expand their knowledge of cloud security, so much so that CIO.com listed CCSK as #1 on its list of Top Ten Cloud Computing Certifications.
“There has been tremendous demand for more CCSK trainers in the European markets. The Train the Trainer course in Italy provides a unique opportunity for those interested in teaching the CCSK both in Italy and the EMEA,” said Alberto Manfredi, CSA Italy president. “We’re happy to be able to provide this important course in conjunction with the Cloud Security Summit 2016, the national conference organized by CSA Italy, Assintel and Clusit. We’d also like to thank our training partner ITWAY for generously providing the training facility.”
The CCSK is designed to ensure that a broad range of professionals with responsibilities related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud. The CCSK test is a web-based, multiple-choice examination of individual competency in key cloud security issues as articulated by CSA.
There will be three days of instruction, broken up as follows:
Day 1 (May 17): The Certificate of Cloud Security Knowledge (CCSK) Basic class provides students a comprehensive one-day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK certification exam. Starting with a detailed description of cloud computing, the course covers all major domains in the latest guidance document from the Cloud Security Alliance, and the recommendations from the European Network and Information Security Agency (ENISA).
Day 2 (May 19): The CCSK-Plus class builds upon the CCSK Basic class with expanded material and extensive hands-on activities with a second day of training. The Plus class enhances the classroom instruction with real-world cloud security labs. Students will learn to apply their knowledge as they perform a series of exercises while they complete a scenario of bringing a fictional organization securely into the cloud. This second day of training includes additional lecture time, although students will spend most of their time assessing, building and securing a cloud infrastructure during the exercises. Activities include creating and securing private clouds and public cloud instances, as well as encryption, applications, identity management and much more.
Day 3 (May 20): The CCSK Instructor workshop adds a third day to the course to train prospective trainers. More detail about how to teach the course will be presented, as well as a detailed look into the hands-on labs, and an opportunity for all trainers to present a portion of the course.
Building a trusted cloud ecosystem is a broad initiative requiring a global educational outreach. The CCSK is intended to be an important educational foundation for a wide variety of professionals: IT, information security, audit, risk management, legal and many others. The CSA intends to fulfill the global cloud security educational requirements through a 100-percent partner delivered training capability, the CCSK Training Partner Program, and to support a better knowledge transfer to local security professionals using chapter initiatives.
To register for training (Base, Plus and/or Train the Trainer), visit www.itwayacademy.com.
The Cloud Security Alliance would like to invite you to review and comment on a proposed Cloud Data Center Security Working Group Charter. The focus of the Cloud Data Center Security working group is to develop and maintain a research portfolio providing capabilities to assist the cloud provider industry in enhancing their Data Centers’ security. This working group will be a forum for corporations, organizations and individuals who are interested in the topic on cloud data center security. The goal in forming this working group is to spark discussions on projects and issues regarding securing cloud data center. The mission of the Cloud Data Center Security working group is to develop a universal security guidance document which will be applicable regardless of size and industry.
This is your opportunity to provide feedback and identify any critical areas that we might miss in our working group’s focus. The open review and comments period starts today and ends on May 21, 2016.
We appreciate your assistance. Thank you in advance for your time and contribution. If you are interested in getting involved with the Cloud Data Center Security working group, please contactresearch@cloudsecurityalliance.org.
Despite some surveys that say Bring Your own Device (BYOD) is growing, the CyberEdge Group’s recently released 2016 Cyberthreat Defense Report found that enterprise BYOD programs have stalled. Only one-third of respondents this year had implemented a BYOD policy—the same as two years ago. And 20 percent still have no plans to add one.
The delay in leveraging BYOD programs may be because organizations find them harder to establish, manage and secure than first thought. But the lack of an official policy doesn’t mean employees aren’t plugging their unapproved devices into the network. A Gartner survey found that 45 percent of workers use a personal device for work without their employer’s knowledge.
So here are answers to three key BYOD sticking points, to help organizations get unstuck and leverage the increased productivity gains BYOD can bring:
Q: How do we separate corporate and personal data on a device? A: Containerization.
Most mobile device management (MDM) programs today allow you to separate the corporate workspace from the personal workspace on mobile devices. Containerization, also know as sandboxing, helps reduce the number of policies required to effectively manage mobile risks. It can also assuage employee fears that if they’re terminated or report a device missing, you’ll wipe away the entire contents of their device—including personal data like photographs and emails.
Q: How do we keep tabs on all that roaming mobile data? A: With a comprehensive cloud endpoint backup system.
Modern cloud endpoint backup solutions serve as the new data guardian, continuously and automatically moving data from a device to the cloud and back again to a new machine whenever it’s needed. It protects enterprise data by continuously backing up every change and deletion. The best endpoint backup systems also give IT a comprehensive, single point of aggregation and control. You can see what’s on your network, how each device is configured, how it interacts with your environment, as well as where and when data was created, if it’s been altered, and who changed it. This happens whenever the machine is connected to the Internet, without prompting the user to engage with it, all while running seamlessly and silently in the background.
Q: Who pays and how? A: You, the enterprise, by automating reimbursement.
With California leading the way, BYOD reimbursement won’t just be the ethical thing to do, it will be legally required under fair labor laws. But manually managing reimbursement via expense reports is archaic and expensive. It can cost $15 to $20 per expense report in internal labor, because so many different departments have to touch the report, from accounts payable to finance to IT. Instead, do like Intel did and automate reimbursement by setting up corporate-funded plans with mobile providers. That way, your company takes care of the bill and can negotiate corporate discounts with providers.