Datica Blog

Privacy Shield: Know the ropes before pulling data back across the pond

Marcia Noyes

Marcia Noyes

Director of Communications

December 4, 2017   Compliance Security

If your U.S. company plans to bring health data from the European Union back to the states, you must address an additional privacy requirement laid out by the European Court of Justice. The EU-U.S. Privacy Shield, which replaced the previous Safe Harbour Framework, levies a stronger obligation on U.S. companies today. To comply, companies must either self-certify for the EU-U.S. Privacy Shield or obtain a third-party assessment. This self-certification or assessment confirms that your company meets the Privacy Shield Framework requirements that help protect the personal data of Europeans.

While everyone is gearing up for the General Data Protection Regulation (GDPR) that goes into effect for the European Union on May 25, 2018, one critical facet cannot be overlooked for customers who aspire to work internationally.

Q & A with Lori Meals

Datica Director of Compliance Lori Meals has been gathering more details on the Privacy Shield and readying Datica for its own self-certification. She recently sat down to answer questions on the topic that will be helpful to you as you think through the necessary steps in bringing private health data back to the states from abroad.

Why are the privacy protections more stringent in the European Union than the U.S.?

Lori Meals: The EU has been more progressive around data privacy, and that’s especially true for Germany. During World War II, the fascist regime used personal information to target people for all sorts of atrocities. Therefore, Europeans are especially sensitive to this sort of personal data being shared.

Why was the Safe Harbour Framework invalidated and the EU-U.S. Privacy Shield enacted in its place?

Lori: All comes down to Edward Snowden. Remember him? He’s the former National Security Association (NSA) contractor who revealed that the intelligence agency had been spying on European citizen data held by American companies. That snowball quickly rolled downhill to Facebook. Austrian student Max Schrems filed subsequent lawsuits, alleging that Facebook had not been protecting personal data of Europeans, as extrapolated from the Snowden leaks. Those leaks showed that the NSA performed surveillance on technology companies, like Facebook. His complaints landed in the European Court of Justice whose governance quickly invalidated the Safe Harbour Framework and exacted a seismic shift upon international data privacy.

Is the Privacy Shield certification required for Datica?

Lori: No, it is not incumbent upon us, but it is for our customers, assuming they are expanding into Europe and/or using European citizen data. Without the Privacy Shield, a U.S. company is potentially liable when not adhering to these principles.

Then why is Datica moving down the path toward self-certification for the Privacy Shield Framework?

Lori: The self-certification adds that extra layer of protection for which Datica is known.

What must a customer know about Privacy Shield?

Lori: The Privacy Shield has a couple of important vocabulary words: data controller and data processor. Datica would be the “data processor” because we only work on behalf of those who are collecting the data. The Privacy Shield lays out the data protection principles that gives an individual the right to know that a company not only holds your data, but that the individual can request that such data be deleted, updated or changed, as well as requesting copies of it.

Is there anything else that a Datica customer needs to know?

Lori: Before expanding into Europe, U.S. companies must sign a Data Processing Agreement (DPA). The DPA signifies the agreement the parties’ have made with respect to terms governing personal data processing. Organizations will also need to contract with a 3rd party to handle complaints about how the organization handles data, should any arise.

How does this impact digital health companies long-term?

Lori: The rules and regulations have become more stringent upon U.S. companies involved with cross border data transfers. Abiding by the European requirements is imperative for staying out of hot legal waters.

Datica exists to help make digital health companies successful whether they work solely with U.S. citizen data or if they dip a toe into the commercial waters between countries. We live in a thriving, global digital economy today. When everyone follows the rules, we increase the chances of digital health success and decrease the chances of getting our hands and wallets slapped in court.

Earlier

Day 3 of re:Invent kicked off with AWS CEO, Andy Jassy, announcing Fargate among a slew of new AWS services. Can you tell we’re excited about Fargate?

Next Post

This holiday season, we’re proud to support one of our favorite open source projects, Let’s Encrypt, in their mission to make the internet more secure.

Related

Will new identity-proofing NIST standards prove who you say you are?

Marcia Noyes

Director of Communications

A recent NIST update includes important changes that encourage out of band authentication methods versus a single source email. Learn how Datica is responding.

October 10, 2017

HITRUST CSF Certification Round 3

Laleh Hassibi

Director of Content Marketing

With our 3rd HITRUST CSF certification, the Datica Platform now provides customers greater flexibility with cloud infrastructure choices.

September 12, 2017

Spear Phishing: Hackers Aiming for Healthcare

Marcia Noyes

Director of Communications

In the 377 healthcare data breaches last year, phishing attacks were among the top data breach causes. Why is healthcare such a target for spear phishing attacks?

August 18, 2017