Those in the US involved with receipt of data transfers pertaining to European citizens must take heed of the pending replacement for the invalidated Safe Harbor which previously governed such transfers. While the replacement, known colloquially as the ‘Data Shield’ has not been finally adopted, and its confines are not altogether clear, there is at least some guidance presently available.
Among other things, it is important for US companies to publish their commitments pertaining to the handling of personal data. Presumably, such commitments will need to be in a prominent place on company websites. While it is not yet clear as to what should be included in such publications, it presently appears that they should encompass both security measures, such as encryption, if applicable, and sharing of material with government and/or business partners. Of course, it remains essential that actual practice conform to such commitments.
Companies previously registered under the old Safe Harbor will have to take new action to utilize the Data Shield benefits. We will have more to say as the situation unfolds.
In the meantime, the noisy controversy associated with the effort to force Apple to ‘unlock’ the encrypted data on the phone used by one of the perpetrators of the San Bernardino massacre must NOT dissuade anyone from taking strong measures to secure from fraudsters the personal data, including both financial and health data, which they receive. The same governmental admonitions which we have discussed on these pages remain unaffected by the Apple controversy and companies failing to take meaningful measures to secure data are at much greater risk from a data breach and subsequent legal action than they are from the concerns of the civil libertarians who are weighing in so vociferously on the Apple situation.
Very few companies will be involved in interaction with law enforcement in the same manner as Apple. All are at risk of a data breach.
The Apple situation most definitely has major public policy ramifications which warrant the debate which is occurring. However, this debate is irrelevant to day-to-day commercial practice, where strong security measures for personal data remain the order of the day. The California Attorney General has published useful guidance as to the nature of such security practice : https://oag.ca.gov/breachreport2016.
On another note, a recent settlement involving Verizon’s use of cellphone tracking data illustrates how those obtaining such data need to be very careful with how they use it. Verizon paid $1.4 million to settle allegations relating to its use of ‘supercookies’ – difficult to remove code used to obtain cellphone users’ location data and use it to deliver targeted ads. The company also agreed to enhance its disclosures and limit some of such use to customers who affirmatively authorized them to do so.