The GDPR will not only have an impact on the collection and processing of personal data for European companies – also US companies start to struggle. Especially when it comes to sharing data because of cyber threats...
GDPR brings new rules for businesses
It’s less than a year until the General Data Protection Regulation (GDPR) comes into force. While European companies are trying to implement new measures in order to comply with the new requirements, also US businesses are starting to worry.
More rights for consumers
The GDPR will change a lot for companies dealing with personal data. And it will not only apply for European companies but also for businesses outside the EU which provide services and goods to the EU.
“What the new rule is saying is, if you are a U.S. company and you process the personal data of an EU subject you are subject to the EU data protection regime. That’s a distinct change from current rules,”
Clare Sullivan, Georgetown University professor at the Law Center, and a Fellow at the Center on National Security and the Law said according to threatpost.
The GDPR will be more strict when it comes to personal data stored online – consumers should decide themselves what kind of data shall be processed and stored. This is a huge difference to the rights consumers have in the US.
Global data protection laws based on GDPR
“Most countries around the world follow the EU privacy model. At the moment most countries around the world base their data protection and privacy laws on the current EU directive and will soon be moving to the new regulation (GDPR) set to be enforced in May 2018.”
The major exception is the United States, Sullivan said.
The reason so many countries are adopting EU privacy rules is because the EU has insisted countries that want to trade with it must comply with its privacy standards.
In the US, Ninety-two percent of multinational companies cited compliance with the looming General Data Protection Regulation (GDPR) as a top data protection priority, according to new research from PwC, CIO reports.
Threat intelligence community needs to be aware of GDPR impact
Cyber threat intelligence is key when it comes to fighting cyber crime. Global business-to-business sharing of cyber threat information is one necessary prerequisite. For the threat intelligence community, there needs to be clear rules about sharing data (i.e. IP addresses) between the private sector and U.S. and foreign government entities that comply with the requirements of the GDPR, Sullivan said.
EU data protection law defines personal data very broadly which differs from the US definition. Every information which can identify a person directly or indirectly, is defined as personal data.
… and the Privacy Shield?
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
Especially cloud companies were – if compliant with the requirements of the Privacy Shield – then able to receive and process personal data of EU citizens.
But in January, President Donald Trump signed an executive order that modifies the Privacy Shield agreement. Thus, the future of the Privacy Shield is uncertain… Furthermore, a Privacy Shield certification alone does not allow data transfers from EU to US – businesses still need to comply with the requirements of the GDPR.
Is an IP address personal data?
Of course, when talking about cyber threats and possible security measures, the question arises: Are IP addresses considered as being personal data? Yes, at least certain kinds of IP addresses, says the European Court of Justice.
On 19 October 2016, the Court of Justice of the European Union (the “CJEU“) published its judgment in Case 582/14 – Patrick Breyer v Germany, in which it held that IP addresses are personal data in certain circumstances. In particular, the BGH had asked the CJEU to determine whether dynamic IP addresses are personal data in the hands of a website operator, if a third party (e.g., an Internet Service Provider (“ISP“)) holds additional information (e.g., account details) that can be used to link those dynamic IP addresses to the identity of the relevant individual, White&Case reports. The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if: there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and the website operator has a “legal means” of obtaining access to the information held by the ISP in order to identify the individual.
Sullivan said the ambiguity around whether an IP address is personal data makes it too risky for most U.S. corporations to collect.
“Clearly we are going to have an issue here as to whether an IP address is considered personal data. It will depend on circumstances, but as a principal we can’t put corporation anywhere near that liability. These laws are not geared toward threat intelligence sharing. In cybersecurity, of course we don’t want to notify a subject that we are collecting their IP address, because that’s the bad guy. However, under EU privacy rules there is a provision for collecting data that makes it acceptable if it is in the “public interest. This is a provision that we believe we are within and typical of similar EU-inspired privacy rules around the world.”