Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions

Shifting Ground for Data Privacy: The Latest on CCPA and Privacy Shield Laws

No items found.

GDPR? Old news. (We’ll just pass over the fact that many organizations have yet to reach compliance…that’s another story.) While hosting providers that advertise to European companies and individuals must comply with the EU law, there are other legal requirements that US-focused organizations have to consider, namely Privacy Shield and an upcoming compliance mandate in the state of California that is similar to GDPR itself.

Privacy Shield is an international law in flux, with EU lawmakers threatening to withdraw entirely if the USA does not enforce compliance. The California Consumer Privacy Act (CCPA) will go into effect in 2020.

What do these laws entail? And should your organization be concerned with these data privacy measures?


Privacy Shield in the Midst of EU-US Conflict

data privacy shield

Privacy Shield is an international agreement between the European Union and United States regarding data privacy and sharing. It has existed since 2016, when it replaced the Safe Harbor data sharing framework.

Companies that transfer personal data from the EU to the USA must self-certify with the US Department of Commerce that they comply with 23 requirements relating to the use and treatment of that data, in addition to mechanisms for request of that data and options for recourse by European citizens.

Privacy Shield may seem to have been superseded by the General Data Protection Regulation (GDPR), but in practice the two work in tandem. GDPR does go further in its protections than Privacy Shield, but it is enforced by European bodies rather than the US government.

However the United States has not been enforcing Privacy Shield compliance and has not appointed required officials, leading to the EU commissioner for Justice announcing an ultimatum to the US secretary of commerce: comply or the agreement will be suspended, in theory ending all data sharing between the US and EU, at least when related to personal information used in commercial purposes.

Meanwhile, the same plaintiff who brought down the Safe Harbor framework has turned towards Privacy Shield as well, leveling legislation that essentially claims information transferred under Privacy Shield does not have enough protections from United States surveillance policies or corporate practices. The European Parliament seems to agree, calling out the Facebook-Cambridge Analytica scandal as an example of how enforcement of Privacy Shield is lacking.

If Privacy Shield is retracted, there will likely be a lengthy process as a new international agreement is hammered out, resulting in new compliance standards for companies that process and transfer personal information between the EU and USA.

California Consumer Privacy Act and Data Privacy at Home

The EU is not the only party concerned about its citizens’ data privacy. California recently passed the CCPA, which mirrors the GDPR in many ways, including allowing consumers to request the extent and specifics of their personal data held by companies.

It applies to all companies that serve California residents that have at least $25 million in revenue, whether based in California or not. Companies under $25 million revenue that collect personal information from 50,000 or more Californians must also comply. Finally, if a company attributes over 50% of their revenue from selling personal data, they must comply.

CCPA fines companies on a per-record basis for failing to protect individual personal information. Companies have 30 days to locate the source of a breach and report the overall scope. It also opens the door for consumer lawsuits if CCPA guidelines are broken, even if there is no data breach.

Compliance involves multiple security control layers, from physical to digital, including encryption, anonymization, and access control. Data tracking must be implemented in order to serve any data requests from citizens. The law goes into effect in 2020.


What Data Privacy Laws Mean for I.T. Providers

Data centers, cloud hosting providers, and IT service organizations all process and store vast quantities of personal data on a regular basis. While halting the spread of information over the internet may seem like an impossible proposition, large fines could await should you remain unprepared for a data deletion request or government audit — in addition to potential private lawsuits.

The most intensive step is implementing data tracking and inventory systems that allow you to pull up and delete all instances of personal data across your entire infrastructure. This is assuming you already have many data security layers in place as a responsible service provider, such as encryption options, intrusion detection, and access controls.

The Privacy Shield hubbub goes to show that data privacy laws remain a moving target, and are unlikely to ever be fully settled, especially across international lines. The best solution is to remain as high-security as possible, adhering to the latest best practices in information security and auditing, and going beyond any required compliance standards when possible. If you make proactive infosec a priority, most of these mandates will already be covered.

Recent Blog Posts

lunavi logo alternate white and yellow
Lunavi Proves Commitment to Channel Partners, Customers with CRN Elite 150

While industry recognition such as the MSP 501 is validating, the most rewarding part of my work in the channel is hearing from partners and their clients about the success they have with these types of engagements.

Learn more
lunavi logo alternate white and yellow
More Than Just Another Partnership, the Azure Expert MSP Is a Unique Source of Pride

As a founder and leader at Lunavi, I’ve seen our organization achieve a lot of big things. That said, achieving the distinction of Azure Expert MSP stands out.

Learn more
lunavi logo alternate white and yellow
What You Should Know About the SolarWinds Nation-State Hack

A supply chain attack on SolarWinds software has led to numerous security breaches. Learn how Lunavi is responding and what you should know about the hack.

Learn more