AIIM Open Forum

 View Only

New Safe Harbor Framework Dictates More Rigorous Information Governance Best Practices

By Andrew Pery posted 03-28-2016 15:47

  

Annual trade flows between the EU and the US is estimated at $1 trillion. Unencumbered cross-border data flows between these large trading blocs that represent 50% of the global GDP is essential for achieving efficient supply chains, real-time access to vital information, and for driving innovation and sustained profitability.

Data transfers between the EU and the US have been long governed by the US-EU Safe Harbor Framework. Ratified in 2000, the framework is based on the “adequacy principle,” which requires that personally identifiable information transferred from the EU to the US must receive adequate levels of privacy protection in substantial compliance with EU data protection regulations. In particular, the framework dictates processing of personal data only for the purposes for which it was originally collected, protection of personal data from loss or misuse, and providing data subjects the ability to access, amend, and delete their personal information.

Snowden revelations challenged Safe Harbor effectiveness

This regime, however, came to an abrupt halt with the Snowden revelations of bulk surveillance and collection of personal information by companies that were subject to the provisions of the Safe Harbor Framework. Following the Snowden leak, the European Commission has begun a process of re-negotiating the Safe Harbor Framework. Their efforts were bolstered by the decision of the European Court of Justice in the Schrems v. Data Protection Commissioner case, which held that the Safe Harbor Framework fails to provide an adequate level of protection for EU data subjects, as EU citizens lack standing in US courts to enforce protection of their personal information from disclosure and misuse. [1]

As a result of these developments, there was a high sense of urgency to remedy the impact of the European Court of Justice decision in Schrems, as well as to restore the trust lost in the adequacy of US data privacy enforcement following the Snowden revelations. One of the key tenets of a re-negotiated Safe Harbor Framework was to provide EU citizens standing in US Courts enforcement of their privacy rights.

Contrary to prevailing opinion and the ongoing standoff within the US Congress and Senate, President Barack Obama signed what is referred to as the Judicial Redress Act of 2015. The act provides non-US citizens protection of their privacy rights in US courts as well as the right to access, amend, and delete their personal information. Moreover, the EU and the US authorities have agreed to a sweeping reform of the current Safe Harbor Framework under the provisions of the Privacy Shield.[2] The Privacy Shield framework raises the bar for the protection of EU citizen data that is imported or transferred to the US. It provides for more robust protection related to the collection, notice, consent, use, onward transfer, and disclosure and enforcement rights of EU citizen data. This is a major development, as the EU data privacy framework is much more rigorous in scope than the sectoral US data privacy framework. In a sense, the Privacy Shield enforces extra territorial rights for EU citizens.

What do these developments mean for US companies?

For one, there is a heightened requirement for proactive implementation of data privacy policies with respect to the collection, use, and disclosure of any personal information imported to the US to be held and processed by US companies and US data controllers. Second, US companies will need to invest in improved information governance best practices. And, there is significant room for improvement relating to information governance. An AIIM report titled Content Analytics: automating processes and extracting knowledge found that 54% of organizations surveyed believe that their organizations are exposed to potential risks in not having proper practices in place to capture, identify, classify, and protect their corporate information assets.

A potentially useful model to consider in helping organizations develop more rigorous information governance best practices and processes is the Information Governance Reference Model (IGRM). The model is based on five core components—information as a business asset that needs to be leveraged for competitive advantages; information that ought to be protected in accordance with privacy and security mandates; information that ought to be managed efficiently by means of automated capture, classification, process automation, and archival; and information that must be preserved in accordance with legal requirements, including records management requirements and e-discovery.

There are many benefits to implementing an effective information governance framework: integrity, accessibility, reliability of information assets, and improved sharing of information subject to well defined business rules. Equally important is risk mitigation in light of heightened expectations to comply with more rigorous security and privacy regimes. In today’s global economy, information is the currency of exchange. How it is leveraged and preserved can make a difference in helping companies achieve sustainable competitive advantages.

[1] Maximillian Schrems v. Data Protection Commissioner, European Court of Justice, Case C-362/13, 6 October 2015 
[2] http://europa.eu/rapid/press-release_IP-16-216_en.htm

0 comments
177 views