Europe's Data Protection Regs: What You Need to Know


By Harold Byun, Skyhigh Networks

If your company does business in Europe, you're likely familiar with the European Union's strict data privacy laws. The laws require you to obtain permission before sharing personal data identifying EU residents with a third party and, in some cases, prevent you from moving or storing that data outside the EU.

The current legal framework is based on a 1995 law called the EU Data Protection Directive, which was ratified by each EU member state in varying forms. However, the law is changing soon. The European Commission is drafting a stricter piece of legislation due to take effect in 2017.

The new law will be a regulation. Unlike a directive, it will take effect immediately across all EU member states without having to be independently ratified by each country. The penalties for non-compliance have also been toughened. Companies violating the new law can face fines of up to €100 million (U.S. $113.2 million) or 5 percent of a company's annual revenue, whichever amount is higher.

Both the existing directive and new regulation are meant to protect personally identifiable information, which includes any information used to identify an individual such as their name, date of birth, email address, computer IP address and photo. If adopted in its current form, the new regulation will be more prescriptive in its requirements.

Under previously enacted laws, data "controllers" (organizations that own the data, such as a retailer that maintains customer information) have responsibilities and data "processors" (organizations that handle the data on behalf of the controller, such as a cloud provider) do not have responsibilities. The new law will impose statutory obligations on data processors for the first time.

Many organizations that process data are not yet prepared to meet these requirements. Last year, it was reported than only one in 100 cloud companies met requirements under the new law.

There are 15 primary changes coming with the new regulation, summarized below:

Right to Share Information

The current EU data protection directive prohibits sharing personal data with third parties unless one of several conditions is satisfied. Under the new law, data controllers will still need to have a "legitimate interest" to share data, but they must also inform individuals their data is being shared, remind them of their right to object, and document their interests and reminders made.

Tokenized Data

Under the new regulation, if personal data has been rendered indecipherable via tokenization, it is assumed to meet an individual's reasonable expectations of privacy. While similar conceptually to encryption, tokenization differs in one critical way: Tokenized data cannot be reversed back to its original form mathematically. For this reason, the EU Commission considers that if data has been tokenized, it can be transferred.

Data Security

Under the current law, organizations must take "appropriate measures" to ensure the security of personal data, including guarding against hacking, preventing internal threats, patching vulnerabilities in IT systems and having appropriate policies in place. When data controllers share information with data processors, they must have a binding written agreement in place to ensure these safeguards. The proposed law will directly apply these requirements to data processors, including major cloud providers.

Transferring Data Outside EU

The current law prohibits transferring personal data outside the EU to countries that do not have equivalently strong data protection laws. Currently, the EU only considers 11 countries in the world to have equivalently strong data laws. Therefore, transferring this information to any other country, except in instances where the data processor follows U.S. Safe Harbor certification, is prohibited.

The new law would keep these requirements, but extend enforcement to data processors, such as cloud providers that in the normal course of offering their service transfer and store information in data centers around the world.

Safe Jurisdiction List

Today, the European Commission maintains a list of countries that are approved to store EU data. Under the new law, the commission will determine and allow information to be stored in approved countries, territories, processing sectors in a country or an international organization, based on their level of protection of personal data.

U.S. Safe Harbor

Under current law, personal data can be exported to the U.S., which is not on the jurisdiction safe list, if the data is transferred to a company that is a member of the U.S. Safe Harbor certification program administered by the Federal Trade Commission.

In light of recent revelations about NSA spying, the EU commissioner Viviane Reding has said that Safe Harbor is going to be reevaluated. However, she's also stated it would irresponsible to suspend the program.

Currently, it's unclear how the European Commission will rule on Safe Harbor. If it is discontinued, many U.S.-based technology companies will be left scrambling to comply with the law.

Binding Corporate Rules

Companies that operate both in and out of Europe can use binding corporate rules (BCRs) to export personal information to another company in their group that is located outside Europe. To do so, the company must apply to the "home" data protection authority, which is circulated to other EU data protection authorities for approval.

Each BCR requires extensive documentation on how the group will provide adequate safeguards for personal data, and is legally binding; the company applying for the BCR is liable for the compliance of the other companies. Under the new regulation, a single data protection authority will approve BCR applications.

Self-Assessment Loophole

Under the current law, in the UK a data controller can undertake a self-assessment and, if satisfied that the data will be adequately protected, the data can be transferred outside Europe. The Information Commissioner, the UK's data regulator, only requires organizations to demonstrate an appropriate analysis has been undertaken.

Under the new law, organizations will no longer be able to perform a self-assessment. Only the European Commission itself will be allowed to decide that an adequate level of protection for personal data is in place.

Model Contractual Clauses

When exporting data to a company in another country, the country receiving the data can sign a model contractual clause approved by the European Commission to meet the adequacy test under the current law. Since each country implemented the current directive in slightly different forms, some European countries require additional steps.

Under the new law, each local data protection authority will adopt model data protection clauses declared valid by the European Commission, or can specifically authorize contractual terms between a data controller and processor.

Other Data Transfer Exceptions

Personal data can be transferred to countries outside the EU in other circumstances, although these are less likely to be relevant in a corporate context. For example, the transfer can take place if individuals to whom the data relates have given consent. In practice, however, it is difficult to secure consent from large numbers of people. This provision is not expected to change under the new law.

Individual Access to Data (and Right of Erasure)

One of the more controversial aspects of the new law is that individuals will now have the right of erasure over data stored about them. While today individuals can contact a data controller and ask for copies of all data maintained on them, they will now be able to request, and these organizations will be legally compelled, to destroy any such data. This requirement may be tricky to implement, especially for organizations that store data in many different systems.

Sanctions and Litigation

According to the Ponemon Institute, the average cost of a data loss incident rose 23 percent in the last two years to $3.79 million. Part of that cost can be accounted for by fines levied by data protection authorities in Europe. Fines today vary from country to country (they are up to £500,000 – or U.S. $770,000 -- in the UK), and additional costs include loss of business and impact to an organization's reputation. Individuals can also sue a controller for damages related to a data breach.

Underscoring how serious the EU Commission is about data protection, fines will dramatically increase under the new law to up to €100 million (U.S. $113.2 million) or 5 percent of annual revenue -- whichever is higher.

European Data Protection Seal

Another change in the new law is the introduction of a data protection seal that, if attained by the data controlled and recipient, allows them to meet the adequacy test under the new regulation. Each EU national data protection authority can accredit specialists to carry out the auditing of organizations. If an organization meets requirements, it can be certified with a seal that is valid for up to five years.

Transitional Periods

Although the new law introduces many new requirements, existing adequacy decisions (such as countries to which data can be exported) by the European Commission will be in place for a five-year sunset period after the new regulation takes effect. Authorizations by data protection authorities (such as transfers based on standard data protection clauses and BCRs) will benefit from a two-year sunset period.

Both transitional periods buy organizations time to implement changes to comply with the new law after it takes effect.

Disclosure of Data Loss

Currently different European countries have varying rules on whether users must be informed of data breaches. Breach reporting to authorities is recommended in all countries and enforced in some countries.

The new law will standardize requirements across all countries. All organizations will be required to notify users if their unencrypted personal data has been lost, and they must notify supervisory authorities within 72 hours of a data breach.

Wrapping up: Assess and Modify Data Protection Procedures

The new European data protection regulation applies to all organizations that do business in Europe or maintain data on EU residents, whether they are headquartered in Europe or not. Stiff new penalties mean that every global organization needs to assess their data protection procedures, and modify them in accordance with the new law. Cloud providers, in particular, have strict new requirements that impact how they can operate and store personal data.

Harold Byun is VP of Product Management at Skyhigh Networks. Prior to Skyhigh he worked at MobileIron, where he focused on mobile application delivery and security. He also led the product management group at Zenprise (acquired by Citrix), where he launched their mobile DLP product and cloud offering to market. He worked with the Vontu/Symantec DLP group and is the co-inventor on a patent filed for security risk visualization and scoring.