Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, May 25, 2010

German watchdog tells firms to do own US privacy checks

German privacy watchdogs have told companies to conduct their own checks of US companies’ conduct before passing personal data to them, even if they are signed up to the EU-US ‘Safe Harbor’ data protection scheme.  It has said that companies must not simply take US companies’ word on their compliance with EU privacy principles if they plan to send personal data to them.  European Union laws on privacy are amongst the world’s strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms.  “Any certification older than seven years old is not valid.”  The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

A large number of organisations failed to comply with Principle 7—Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.  Many of these false claims have continued for several years,” said the study, which examined compliance with just one of the scheme’s seven Safe Harbor Framework Principles.  The study was not the first to find problems in the implementation of the Safe Harbor programme.

“Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers,” it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

http://www.theregister.co.uk/2010/05/25/eu_us_privacy/

Posted on 05/25
RegulationsPermalink