NEW YORK – United States companies doing business abroad are grumbling over new European privacy laws set to take effect in less than one year. The EU privacy rules are far more stringent than U.S. laws, and are meant to give consumers the upper hand when it comes to controlling what data is stored by companies online.
In a discussion at the Borderless Cyber conference, Clare Sullivan, Georgetown University professor at the Law Center, and a Fellow at the Center on National Security and the Law, said business-to-business sharing of personal data is about to get more complicated.
For the threat intelligence community, there needs to be clear rules about sharing data between the private sector and U.S. and foreign government entities that don’t run afoul of EU privacy laws known as the General Data Protection Regulation (GDPR), Sullivan said.
“Many factors can affect an organization’s legal ability to engage in global business-to-business sharing of cyber threat information. Of chief concern is whether IP addresses can be lawfully shared between organizations as cyber threat intelligence,” she said.
Sullivan said that U.S. companies need to be well aware of the EU privacy rules because of their global impact. Part of a Georgetown University project called Cyber Threat Sharing Project, found that many countries that trade with the EU are also adopting the EU privacy rules.
“Most countries around the world follow the EU privacy model,” she said. The major exception is the United States she said. “At the moment most countries around the world base their data protection and privacy laws on the current EU directive and will soon be moving to the new regulation (GDPR) set to be enforced in May 2018.”
The reason so many countries are adopting EU privacy rules is because the EU has insisted countries that want to trade with it must comply with its privacy standards.
“The EU model defines personal data very broadly. It considers personal data anything that can identify a person directly or indirectly,” she said. According to The European Union Data Privacy Directive restrictions are placed on companies when it comes to:
“Processing of personal data” (‘processing’) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”
However, Sullivan said company’s need to pay special attention to a new EU rule called Extraterritoriality. “What the new rule is saying is, if you are a U.S. company and you process the personal data of an EU subject you are subject to the EU data protection regime. That’s a distinct change from current rules,” she said.
The US had negotiated an agreement called US-EU Privacy Shield with EU regulators that enabled more than 2,000 U.S. cloud companies to transfer the personal data of EU citizens to the U.S. for processing without risk of breaching fundamental European privacy rights. But in January, President Donald Trump signed an executive order that modifies the Privacy Shield agreement in an attempt to avoid running afoul of the EU privacy rules when spying on non-US citizens.
The consequence, Sullivan said, is it will likely be harder for U.S. companies to do digital business in the EU. The annual review of the US-EU Privacy Shield is due to take place in September.
So when it comes to processing or collecting something as seemingly innocuous as an IP address, what are the rules?
Sullivan said the ambiguity around whether an IP address is personal data makes it too risky for most U.S. corporations to collect. “Clearly we are going to have an issue here as to whether an IP address is considered personal data. It will depend on circumstances, but as a principal we can’t put corporation anywhere near that liability. These laws are not geared toward threat intelligence sharing,” she said.
“In cybersecurity, of course we don’t want to notify a subject that we are collecting their IP address, because that’s the bad guy,” Sullivan said. However, she said, under EU privacy rules there is a provision for collecting data that makes it acceptable if it is in the “public interest.”
“This is a provision that we believe we are within and typical of similar EU-inspired privacy rules around the world,” Sullivan said. The rule reads: “Data processing must be necessary for the performance of a task that is in the public interest.”
According to Sullivan, the EU’s Article 29 Working Party has reviewed this matter in the context of the threat intelligence community. The Article 29 Working Party is part of the EU and issues non-legal opinions and rulings on opaque issues such as these.
Her findings, she said, should assist the threat intelligence community in understanding the international legal environment it will soon face. This is necessary for companies to develop policies and procedures to enable timely and effective legal sharing of cyber threats.