Shifting Ground for Data Privacy: The Latest on CCPA and Privacy Shield Laws

GDPR? Old news. (We’ll just pass over the fact that many organizations have yet to reach compliance…that’s another story.) While hosting providers that advertise to European companies and individuals must comply with the EU law, there are other legal requirements that US-focused organizations have to consider, namely Privacy Shield and an upcoming compliance mandate in the state of California that is similar to GDPR itself.

Privacy Shield is an international law in flux, with EU lawmakers threatening to withdraw entirely if the USA does not enforce compliance. The California Consumer Privacy Act (CCPA) will go into effect in 2020.

What do these laws entail? And should your organization be concerned with these data privacy measures?

Privacy Shield in the Midst of EU-US Conflict

Privacy Shield is an international agreement between the European Union and United States regarding data privacy and sharing. It has existed since 2016, when it replaced the Safe Harbor data sharing framework.

Companies that transfer personal data from the EU to the USA must self-certify with the US Department of Commerce that they comply with 23 requirements relating to the use and treatment of that data, in addition to mechanisms for request of that data and options for recourse by European citizens.

Privacy Shield may seem to have been superseded by the General Data Protection Regulation (GDPR), but in practice the two work in tandem. GDPR does go further in its protections than Privacy Shield, but it is enforced by European bodies rather than the US government.

However the United States has not been enforcing Privacy Shield compliance and has not appointed required officials, leading to the EU commissioner for Justice announcing an ultimatum to the US secretary of commerce: comply or the agreement will be suspended, in theory ending all data sharing between the US and EU, at least when related to personal information used in commercial purposes.

Meanwhile, the same plaintiff who brought down the Safe Harbor framework has turned towards Privacy Shield as well, leveling legislation that essentially claims information transferred under Privacy Shield does not have enough protections from United States surveillance policies or corporate practices. The European Parliament seems to agree, calling out the Facebook-Cambridge Analytica scandal as an example of how enforcement of Privacy Shield is lacking.

If Privacy Shield is retracted, there will likely be a lengthy process as a new international agreement is hammered out, resulting in new compliance standards for companies that process and transfer personal information between the EU and USA.

California Consumer Privacy Act and Data Privacy at Home

The EU is not the only party concerned about its citizens’ data privacy. California recently passed the CCPA, which mirrors the GDPR in many ways, including allowing consumers to request the extent and specifics of their personal data held by companies.

It applies to all companies that serve California residents that have at least $25 million in revenue, whether based in California or not. Companies under $25 million revenue that collect personal information from 50,000 or more Californians must also comply. Finally, if a company attributes over 50% of their revenue from selling personal data, they must comply.

CCPA fines companies on a per-record basis for failing to protect individual personal information. Companies have 30 days to locate the source of a breach and report the overall scope. It also opens the door for consumer lawsuits if CCPA guidelines are broken, even if there is no data breach.

Compliance involves multiple security control layers, from physical to digital, including encryption, anonymization, and access control. Data tracking must be implemented in order to serve any data requests from citizens. The law goes into effect in 2020.

What Data Privacy Laws Mean for I.T. Providers

Data centers, cloud hosting providers, and IT service organizations all process and store vast quantities of personal data on a regular basis. While halting the spread of information over the internet may seem like an impossible proposition, large fines could await should you remain unprepared for a data deletion request or government audit — in addition to potential private lawsuits.

The most intensive step is implementing data tracking and inventory systems that allow you to pull up and delete all instances of personal data across your entire infrastructure. This is assuming you already have many data security layers in place as a responsible service provider, such as encryption options, intrusion detection, and access controls.

The Privacy Shield hubbub goes to show that data privacy laws remain a moving target, and are unlikely to ever be fully settled, especially across international lines. The best solution is to remain as high-security as possible, adhering to the latest best practices in information security and auditing, and going beyond any required compliance standards when possible. If you make proactive infosec a priority, most of these mandates will already be covered.