Understanding Privacy Shield

Different parts of the world have different views of how we need to treat personally-identifiable information. Europe takes a much stronger view of personal privacy than the US, with a focus on giving users control of their personal information: no matter who holds the data, the user has the right to determine how it’s used – and must be informed of what’s being collected and why.

For Europeans, personal privacy is a fundamental right, the result of a century of wars and totalitarian governments. It doesn’t matter if it’s a government or a company, personal information needs to be protected, no matter where they’re from. That can be a problem where laws differ, especially between the US and the EU.

Recent court cases meant the long-standing Safe Harbor data protection agreement had to be set aside and replaced with something a lot stronger. That’s resulted in a new regime that is coming into force, called Privacy Shield. Closely related to the upcoming European GDPR, it’s a comprehensive set of rules for how EU citizen data can be collected and used. Agreements like this are essential to fix mismatches between privacy rules across the world – and Privacy Shield is just one example.

The result is a complex text, one that’s designed to cover how US companies collect, process, store, and use European PII. At the heart of the agreement is the ability for EU citizens to enforce privacy regulations directly against US companies, using their local data protection authorities. Once certified to be Privacy Shield-compliant, US companies will need to set up and use a formal recourse process (one they need to pay for and that’s enforceable under both US and EU law).

Privacy Shield-compliant companies will need to make a commitment to ensure the protection of users’ personal data and that only relevant information is used, even by third parties. It’s a commitment that goes beyond the law, and into their infrastructure as means that all data needs to be protected at rest and in motion. If there’s a breach and data loss, companies will need to work with both US and EU authorities, handling notifications and responding to data protection authorities as well as their users.

Managing privacy is a complex process, and requires commitment from all parts of a business. That means building an infrastructure that’s both privacy-aware and secure, with the intent of protecting customer data. You need a network that’s able to detect and deflect intrusions, with an adaptive response to attacks that’s able to detect unusual activities and data exfiltration across a wide range of low level network technologies.

Efficient IP’s 2016 DNS security survey has shone light on the risks businesses face with traditional DNS architectures. Agreements like Privacy Shield mean that there’s a significant business risk to running an unprotected network – you need an approach that protects your entire infrastructure.