U.S. Safe Harbor

Under current law, personal data can be exported to the U.S., which is not on the jurisdiction safe list, if the data is transferred to a company that is a member of the U.S. Safe Harbor certification program administered by the Federal Trade Commission.

In light of recent revelations about NSA spying, the EU commissioner Viviane Reding has said that Safe Harbor is going to be reevaluated. However, she's also stated it would irresponsible to suspend the program.

Currently, it's unclear how the European Commission will rule on Safe Harbor. If it is discontinued, many U.S.-based technology companies will be left scrambling to comply with the law.

Binding Corporate Rules

Companies that operate both in and out of Europe can use binding corporate rules (BCRs) to export personal information to another company in their group that is located outside Europe. To do so, the company must apply to the "home" data protection authority, which is circulated to other EU data protection authorities for approval.

Each BCR requires extensive documentation on how the group will provide adequate safeguards for personal data, and is legally binding; the company applying for the BCR is liable for the compliance of the other companies. Under the new regulation, a single data protection authority will approve BCR applications.

Self-Assessment Loophole

Under the current law, in the UK a data controller can undertake a self-assessment and, if satisfied that the data will be adequately protected, the data can be transferred outside Europe. The Information Commissioner, the UK's data regulator, only requires organizations to demonstrate an appropriate analysis has been undertaken.

Under the new law, organizations will no longer be able to perform a self-assessment. Only the European Commission itself will be allowed to decide that an adequate level of protection for personal data is in place.

Model Contractual Clauses

When exporting data to a company in another country, the country receiving the data can sign a model contractual clause approved by the European Commission to meet the adequacy test under the current law. Since each country implemented the current directive in slightly different forms, some European countries require additional steps.

Under the new law, each local data protection authority will adopt model data protection clauses declared valid by the European Commission, or can specifically authorize contractual terms between a data controller and processor.

Other Data Transfer Exceptions

Personal data can be transferred to countries outside the EU in other circumstances, although these are less likely to be relevant in a corporate context. For example, the transfer can take place if individuals to whom the data relates have given consent. In practice, however, it is difficult to secure consent from large numbers of people. This provision is not expected to change under the new law.

Individual Access to Data (and Right of Erasure)

One of the more controversial aspects of the new law is that individuals will now have the right of erasure over data stored about them. While today individuals can contact a data controller and ask for copies of all data maintained on them, they will now be able to request, and these organizations will be legally compelled, to destroy any such data. This requirement may be tricky to implement, especially for organizations that store data in many different systems.

Sanctions and Litigation

According to the Ponemon Institute, the average cost of a data loss incident rose 23 percent in the last two years to $3.79 million. Part of that cost can be accounted for by fines levied by data protection authorities in Europe. Fines today vary from country to country (they are up to £500,000 – or U.S. $770,000 -- in the UK), and additional costs include loss of business and impact to an organization's reputation. Individuals can also sue a controller for damages related to a data breach.

Underscoring how serious the EU Commission is about data protection, fines will dramatically increase under the new law to up to €100 million (U.S. $113.2 million) or 5 percent of annual revenue -- whichever is higher.

European Data Protection Seal

Another change in the new law is the introduction of a data protection seal that, if attained by the data controlled and recipient, allows them to meet the adequacy test under the new regulation. Each EU national data protection authority can accredit specialists to carry out the auditing of organizations. If an organization meets requirements, it can be certified with a seal that is valid for up to five years.

Transitional Periods

Although the new law introduces many new requirements, existing adequacy decisions (such as countries to which data can be exported) by the European Commission will be in place for a five-year sunset period after the new regulation takes effect. Authorizations by data protection authorities (such as transfers based on standard data protection clauses and BCRs) will benefit from a two-year sunset period.

Both transitional periods buy organizations time to implement changes to comply with the new law after it takes effect.

Disclosure of Data Loss

Currently different European countries have varying rules on whether users must be informed of data breaches. Breach reporting to authorities is recommended in all countries and enforced in some countries.

The new law will standardize requirements across all countries. All organizations will be required to notify users if their unencrypted personal data has been lost, and they must notify supervisory authorities within 72 hours of a data breach.

Wrapping up: Assess and Modify Data Protection Procedures

The new European data protection regulation applies to all organizations that do business in Europe or maintain data on EU residents, whether they are headquartered in Europe or not. Stiff new penalties mean that every global organization needs to assess their data protection procedures, and modify them in accordance with the new law. Cloud providers, in particular, have strict new requirements that impact how they can operate and store personal data.

Harold Byun is VP of Product Management at Skyhigh Networks. Prior to Skyhigh he worked at MobileIron, where he focused on mobile application delivery and security. He also led the product management group at Zenprise (acquired by Citrix), where he launched their mobile DLP product and cloud offering to market. He worked with the Vontu/Symantec DLP group and is the co-inventor on a patent filed for security risk visualization and scoring.