The European Court of Justice yesterday ruled that the Safe Harbour scheme “enables interference, by United States public authorities, with the fundamental rights of persons” following a privacy campaign against Facebook by Max Schrems, a campaigning Austrian law student.
Is it possible that this ruling could have implications for companies with ISO27001?
In Europe, personal data protection is covered by two directives:
These are possibly the most stringent data protection guidelines operating in the world. The European Commission recognised that ‘Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection.’
A ‘safe harbour’ was developed in 1998-2000, with agreement was made between the EC and the US government, which essentially promised to protect EU citizens’ data if transferred by American companies to the US. This included companies such as Facebook, those offering cloud services, including Microsoft, CRM software providers, such as Salesforce and AirBnB. These companies could self-certify that they were meeting the following requirements:
- Notice – Individuals must be informed that their data is being collected and about how it will be used.
- Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
- Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules.
Implications of the Ruling
The Court Ruling means that US companies can no longer rely on self-certification, and will require “model contract clauses” in each case, which will authorise the transfer of data outside of Europe. Internet Association President and CEO Michael Beckerman has issued a statement on the U.S.-EU Safe Harbor Agreement: “Internet companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor, but smaller companies and consumers both in the EU as well as in the U.S. could experience significant challenges going forward”. As stated by the Guardian, getting Model Contract Clauses approved “before transferring data will be both a financial and administrative burden”.
ISO27001 lists Reference Control Objectives and Controls which include A.13.2.1 Information Transfer Policies and Procedures, A.13.2.2 Agreements on information transfer, A.13.2.4 Confidentiality or non-disclosure agreements, as well as A.15.1.3 Information and communication technology supply chain, amongst others.
As an example, A.13.2.4 is further elaborated in ISO 27002: 2013, which clarifies the requirement to consider ‘ownership of information, trade secrets and intellectual property, and how this relates to the
protection of confidential information”; and “the permitted use of confidential information and rights of the signatory to use information”, both of which are particularly pertinent given the ECJ has effectively ruled that ‘Safe Harbour’ does not give sufficient reassurance in the light of the Snowden revelations.
At the very least, organisations will need to undertake a review of the compliance of information processing and procedures (A.18.2.2). They will also need to review their information security risk assessment, and implement any further controls as may be required, particularly covering the period where suppliers are applying for Model Contract Clause approval. There are also supply chain and business continuity considerations, particularly for those cases where Model Contract Clause approval has not been achieved.
The European Commission has recommended a reform of this Data Protection Directive as a policy priority for 2015, stating that ‘The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.’ It remains to be seen whether the 2015 target will be met, and how quickly any changes can be implemented and, subsequently, agreed with other countries.
As pointed out by the CBI’s Director for Competitive Markets, Matthew Fell, “The ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy. Businesses will want to see clarity on the immediate implications of the ECJ’s decision, together with fast action from the Commission to agree a new framework.”
Does the “Safe Harbour” ruling have any impact on your information security or ISO 27001 certification? Cambridge Risk Solutions offers comprehensive advice and support, and can assist you; call 0800 035 1231 today
Written by Helen Molyneux