Oscar_Moreno_PrivacyPaper1.pdf

Moreno 1

Moreno Oscar

IST 415 Security Systems Management

Professor Brough

13 October 2019

Safe Harbor/Shield and US Privacy Law

Security and privacy laws differ between countries and states. Organizations worldwide need to navigate through many laws and comply with many different sets of laws otherwise there will be a loss in revenue or severe financial loss. Thus, organizations must navigate carefully and most importantly thoroughly research the location a business is currently set on establishing themselves in. In addition, agreements between nations also help set a distinct set of regulations, establishing the rules needed to protect how data is transferred and the type of data allowed to be transmitted across borders. All in order to ensure the most adequate privacy possible between two foreign nations. Without an effective guide, companies may take advantage of people where privacy laws aren’t implemented or make it too restrictive, making it so that companies are unable to conduct business.

The Safe Harbor program is an agreement between the U.S Department of Commerce and the European Union that aims to protect the privacy of its nations. However, it is no longer active. The program regulated how personal data of European citizens would be handled by U.S companies. The agreement required companies to inform people their personal data was being collected, inform users what it would be used for, receive permission to transmit data to a third party, provide a way for people to access their data, provide necessary data integrity and security controls, provide the ability to correct or delete information, and provide mechanisms to handle complaints. However, in 2015, the European Court of Justice declared the safe harbor agreement between the United States and the European Union invalid due to a major flaw in this system. This flaw allowed third parties to access information without notifying users that their information was being used and held by an unknown entity.

In 2016, the EU-US Privacy Shield Program was approved by the European Commission as a replacement for the now invalid Safe Harbor program. In the period between the Safe Harbor Program being declared invalid and the Privacy Shield Program being developed, a period existed in which companies were left in a state of limbo, concerned with how they should proceed without a privacy law. After the approval of the Privacy Shield Program U.S companies were now required to meet seven requirements for the processing of personal information such as informing individuals about data processing, providing free and accessible dispute resolution, cooperating with the department of commerce, maintaining data integrity and purpose limitation, ensuring accountability for data transferred to third parties, transparency related to enforcement actions, and Ensuring commitments are kept as long as data is held. This program is important because it protects the privacy of EU citizens from foreign entities. The EU was concerned with the U.S having excessive access to European data and an inability for citizens to address those concerns formally.

Moreno 2

The EU-US privacy Shield Program and the Safe Harbor program share many similarities, however a major difference between the two is that the EU-US privacy Shield program sharpens its focus on individual rights for EU citizens. It demands stricter rules for U.S businesses, while also restricting the U.S government from accessing personal information. The Safe Harbor program only required an organization provide notice and a choice to consumers before sharing information with a third party. An exception was enforced by the Safe Harbor Program which allowed third parties to receive personal information without a notice or providing a choice to individuals if the organization were acting as an agent under the third party. This allowed data from EU citizens to be transmitted and held by many more organizations than what they had thought, and with having no absolute control with who the information is shared with the Privacy Shield Program formed as a result of this loophole. With a new program currently implemented, any third party must now comply with the principles held by the Privacy Shield protection program at the same level as the original organization.

The European Union and the United States have a different methodology on how to approach privacy laws. The EU shares a single unified and robust set of laws called General Data Protection Regulation (GDPR). While the U.S has privacy laws that are not all encompassing, but instead are sector specific, with even some states implementing more robust privacy laws than what is available nationwide. Privacy Shield is an agreement between the EU and US that if met, is deemed to have adequate protection and in compliance with not only Privacy Shield but also meeting the requirement for data transfer for the GDPR. Federal privacy laws in the U.S regulate different sectors such as the HIPPA (healthcare), FISMA (Federal), NIST (non-federal), and GLBA(Finance). Much is left to be desired in the form of privacy laws in the U.S compared to the EU. Some states such as California meet the standards set by the GDPR. In 2002, California became the first state to pass SB 1387 which required the state to immediately disclose to individuals’ breaches of personal identifiable information. And in 2003 California implemented the California Online Privacy Protection Act of 2003. CALOPPA applied to any person or company globally whose commercial website or online services collected personal information from California residents. It required that a website feature a privacy policy stating what information is collected and who it will be shared with. This is like the Privacy Shield Program; both require an organization to notify individuals of what information is collected and specifically who it will be shared with. But laws such as CALOPPA and SB 1387 aren’t immediately adopted by all states and only applies to states that accept is as law. Unlike the EU which operates in a unified manner in the way they implement their privacy laws but also in how the laws are structured.

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) enforces strict guidelines to the Healthcare sector in order to secure personal health information. This law is important because it protects individual’s privacy and results in better quality of care. HIPPA produces secure and shared medical information so that medical professionals can make the best assessments for their patients. The act regulates the healthcare sector, protecting individual’s personal privacy or personal health information. This is important because it protect patients from embarrassment, job discrimination, and potential denial of insurance. Children’s Online Privacy Protection Act of 1998 (COPPA) is sharing a significant number of rules with the Privacy Shield Program except it only protects children’s privacy. One such rule is that websites must have a privacy notice that defines the type of information collected and what its purpose is, and if any information will be disclosed to third parties. In addition, the notice must include contact

Moreno 3

information for the operators of the site catering to children. Privacy Shield Program shares the same requirement only it isn’t just for websites catering to children but expanded to protect all citizens in the EU. Another requirement is that parents must be given the opportunity to review any information collected on their children and provided the opportunity to permanently delete their child’s information from any organization’s record. This requirement is the same rule in the Privacy Shield program regarding having the ability to remove or correct personal information from an organization record. Except, for COPPA unlike the Privacy Shield Program is limited to children.

Gramm-Leach Bliley Act of 1999 (GLBA) aims to protect personal information and the privacy of individuals. This act regulates and puts strict governmental barriers between financial institutions to protect the people. GLBA severely limits the ability for banks, insurance companies, and credit providers to share information with each other, most specifically private and financial information from clients or individuals. Another requirement regarding GLBA is that these organizations must explain how they share and protect customer information. In addition, GLBA must give individuals the ability to opt out from sharing information to third parties. The Privacy Shield program also requires all organizations not just financial organizations to provide users this information and be given an ability to opt out.

Another specialized privacy law implemented in the U.S is the Family Education Rights and Privacy act. FERPA affects educational institutions that accept funding from the federal government. Publicly funded schools grant privacy rights to students eighteen years or older, and to parents of minors. Parents and Students may inspect any educational records maintained by the institution and given the right to correct any mistakes on record. In addition, A school can only release information under special circumstances otherwise the institution must not release any information of any individuals without any prior consent. This act is like many of the laws, and programs previously mentioned. Individuals must be allowed to view and correct any information regarding them, and consent is required to share information. Unlike European privacy law being unified and applied comprehensively, this law among many other privacy laws in the U.S are localized to a single sector.

Privacy laws affect how businesses operate, and the nature of their relationships with other organizations and whom they conduct business with. Ultimately, the nature of business is changing and many of its operations are conducted through the internet, reaching a global audience isn’t unheard. An organization needs to be aware of privacy laws across the globe and comply to the laws required to conduct a business legally. Any large U.S organization is more likely than not conducting business in multiple foreign jurisdictions, and without a unified worldwide agreement privacy laws could be tricky to traverse through for an organization. It can be confusing to concern yourself with every single law around the world, however a simple solution to this is for an organization to adopt a very restrictive set of procedures that complies with all regulations. It is not only important legally speaking to secure the privacy and personal information of your customers as a business but it also very important to respect the information provided by individuals. An organization caring for the privacy of its users can attract more customers than competitors but developing a trusting relationship with its users. In the end, failing to comply to regulations can cost a business its whole operation or leave it unable to conduct business in that region.

Moreno 4

Works Cited

Carron, Christine A., and Martha A. Healey. “Privacy Laws and Regulations around the Globe: the Impact on Doing Business Internationally.” Lexology, 3 Nov. 2009, www.lexology.com/library/detail.aspx?g=2fe09e32-56cc-4ffb-a75f-0ba3d96b4e6b.

“GDPR vs Privacy Shield.” GDPR vs Privacy Shield, www.privacytrust.com/privacyshield/gdpr- vs-privacy-shield.html.

Owen. “How Does Safe Harbor Compare to the EU-US Privacy Shield?” OTAVA, 11 Apr. 2019, www.otava.com/reference/how-does-safe-harbor-compare-to-the-eu-us-privacy-shield/.

Rouse, Margaret, and Matthew Haughn. “What Is Privacy Shield (EU-US Privacy Shield) - Definition from WhatIs.com.” WhatIs.com, Feb. 2017, whatis.techtarget.com/definition/EU-US-Privacy-Shield.

STEWART, JAMES M. CISSP: Certified Information Systems Security Professional Study Guide. WILEY-SYBEX, 2018.