After a long wait while bureaucrats worked out the details of new EU data protection law, the European General Data Protection Regulation (GDPR) is here – or at least, it will be in two years. In the wake of Safe Harbour and Privacy Shield, the latest data sharing agreement between the EU and the United States, the GDPR affects all businesses processing personal data, but how?
What is the GDPR?
The GDPR is the European Commission's latest attempt to strengthen data protection for EU citizens, including the export of their data outside of the EU.
"The approval of the General Data Protection Regulation is by far the largest shake-up of data protection rules so far this century," says Michael Hack, SVP of EMEA operations at Ipswitch, whose survey of 300 European IT professionals revealed that nearly 70% said they'd need to invest in new technologies or services to help prepare the business for the impact of the GDPR.
The GDPR includes more than 50 Articles, and must be implemented by each of the 28 EU member states by 2018.
Why did it take so long to agree?
"When you're dealing with fundamental human rights, it's probably worth taking a bit of time to make sure you've got the right protections in place," says Tamzin Evershed, Legal Director at Veritas, who insists that the global data processing arena is a new and complex place. It's all about balancing the need for governments to protect against terrorists with privacy.
"It's like herding cats – there are a lot of EU nations all of whom want to have their say, and to complicate things, it also has to have the USA agree," says Guy Bunker, a Senior Vice President at Cybersecurity specialist Clearswift. It's no easy deal.
What was wrong with Safe Harbour?
After the mass surveillance of EU citizens by the NSA's PRISM came to light in 2014, German law student Max Schrems argued that his Facebook data was not safe in the US, and the European Court of Justice agreed.
"In practice, US companies were seen to not take the regulations seriously and were simply using it as a 'tick box' exercise in order to do business with the EU," says Janine Regan, Associate at Charles Russell Speechlys. Truth is, it was 15 years old, horribly outdated, and wasn't audited.
"Safe Harbour was created in a different era – pre-9/11, pre-cloud and pre-Snowden – and wasn't intended for the massive volumes of cross-border data traffic we see today," says Willy Leichter, global director of CipherCloud.
"European citizens had no recourse to the US court system if a US-based service lost their data and data could be intercepted by US authorities," says Nigel Hawthorn, Chief European spokesperson at Skyhigh Networks. It was only a matter of time before the European court decided that Safe Harbour was not fit for purpose.
However, the core of this issue is that attitudes to data privacy in the US and EU are at polar opposites. "EU attitudes towards data privacy which favour the rights of the individual are at loggerheads with those of the US under the US Patriot Act which favours the rights of the state," says Penny Jones, senior analyst for European services at 451 Research.
What is the Privacy Shield?
A stop-gap between the demise of Safe Harbour and the incoming GDPR in 2018, the EU's hastily agreed Privacy Shield is what we have for the next two years. "The two-year review is intended to analyse how the Privacy Shield complies with the new General Data Protection Regulation, which will be implemented in all Member States by then," explains Ann Bevitt, privacy and data security Partner at law firm Cooley.
However, the Privacy Shield is seen – from a European perspective – as weak, and unable to prevent NSA surveillance of EU citizens. "The Privacy Shield is taking so long to agree due to the vast legal differences between the EU and US, especially when it comes to the handling of personal data," says Gunter Ollmann, CSO, Vectra Networks.
"Broadly speaking we have agreement on the commercial use of data, the ideas of informed consent and security, but the US government is having a hard time fettering its surveillance activities in the name of national security," says Ross Woodham, Director Legal Affairs and Privacy, Cogeco Peer 1. Cue the Freedom Act, which was implemented in November, and didn't help matters with the EU.
"It only applied modest restrictions to data collection, and these restrictions are fairly meaningless in the context of some of the other powers of the US surveillance program," says Woodham.