Toward a Solution for EU-US Privacy: In examining the underpinnings of the debate, we advocate a combined technical and business process solution

Friday, July 1, 2016 - 14:26

The European Union and the United States continue to struggle with the means to protect individual privacy, and unless common ground is found, the difficulty of cross-border commerce will also increase.

Many readers may be familiar with the past history here:

  • The Safe Harbor accord was in existence for some time but was invalidated once Edward Snowden’s revelations made it clear that the U.S. government was routinely looking at individuals’ data.
  • The Privacy Shield has been proposed after a great deal of negotiations between the U.S. and the EU, but recent events indicate that the EU is still uncomfortable with the pact and feels it does not provide adequate protections.

Some observers point to a hidden agenda on the part of the EU – that they are trying to force U.S. companies to spend money in the EU, or that they resent the hegemony of U.S. companies, like Amazon or Apple. However, the core issue is that the EU and the U.S. differ on the importance of privacy in our respective societies. The depth of feeling in the EU over privacy is similar to the feeling we have in the U.S. toward free speech – one of the absolutely critical civil rights that is the basis for our values and our relationship with the government. Privacy is clearly important in the U.S., however it is cherished in the EU.

Possible Legal Solutions

There are several forms of legal agreements that may serve as suitable replacements for the Privacy Shield. We will leave that to those in the legal profession to discuss. Our observation here is that given the level of mistrust between the U.S. and the EU, these may become as troubled as the overall pacts.

“Data localization” is the term used to describe the storing of data within the jurisdiction in question. For example, data localization in Germany would mean the physical construction and/or storage of data within the geographic boundaries of Germany. Some countries, such as Russia, have now mandated data localization through specific laws. A number of information technology providers offer data location services and options for their clients. For example, Amazon has announced investments in certain countries in the billions to further its data localization options.

The primary challenge around data localization is that the physical storage of data in a protected environment is only one component of a well-rounded privacy program. There still need to be controls for data retrieval, movement, use, etc. Storing data in Germany, for example, may not achieve the EU’s privacy objectives if data is readily and continually accessed in the U.S.

A More Comprehensive Solution

Those tasked with meeting the EU’s requirements must understand that the EU sees privacy as a critical civil right and build their EU privacy programs accordingly. The circumstances we find ourselves in, with the U.S. and the EU basically at an impasse, are not going to be resolved until the U.S. understands the EU’s passion on this issue.

If an organization is going to go down the path of a technology solution, such as data localization, it needs to be accompanied by the creation of robust business processes for the access and use of that data. While some observers have lamented the loss of flexibility around cross-border commerce, we would argue that the processes we are advocating – the compartmentalization of data access and use – have actually existed for some time. For years, internal control specialists have cited “least privileged access” as a driving concept for data and system access. This means that a system user should be afforded the lowest access level that they need to perform their function. Most enterprise resource planning systems have been designed to implement role-based security. Role-based security is the creation of standard profiles based on job function, and as individuals enter, change or leave positions, they are given the access capabilities commensurate with their job function.

Certainly, the creation of a comprehensive data compartmentalization program will require more than access protocols – it may require organizations to establish some operations in the EU, or to hire vendors to do such things as marketing, selling and servicing. Until the U.S. understands the intensity of the EU’s demands that American businesses value the European perspective of privacy, the issue will remain unsolved. 

Brian Lane, a partner in Baker Tilly’s Financial Services group. Kevin Sullivan, director of Baker Tilly’s Financial Services group. Maurice Jones Jr., a senior consultant in Baker Tilly’s Risk Advisory group.

Please contact the authors at brian.lane@bakertilly.com, kevin.sullivan@bakertilly.com or maurice.jones@bakertilly.com with questions about the article.