Safe Harbor and Access Control for Transatlantic Data Transfer
The deal was made public on February 2nd, two days after the initial agreed upon deadline for a solution had passed. Speaking on the deal, Vera Jourova, the European Commissioner for Justice said, “For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”
The new framework is designed to facilitate the easy transfer of data between the EU and the US, while providing EU citizens with the same privacy protections afforded to them in the EU. With the deal in place, many of the 4,500 US companies that have a safe harbor agreement can breathe a little more easily, particular in light of the Weltimmo case – which could have forced US companies to comply with regulations in each European jurisdiction that they operate in, rather than the EU as a whole.
The new deal is still a challenge, though, and will continue to pose complex access control challenges for any US-based organization that collects, processes and transfers European citizens’ data. Companies will have to manage who can access European citizens’ data, and for what purpose. Additionally, the US Department of Commerce will carry out regular compliance checks of each company that has an agreement in place.
This means compliance officers will be asked to answer the type of questions that will cause internal teams to break out in a cold sweat. Forcing them to navigate through thousands of roles, documents and policies, in search of the answer to “What information can employee X in accounts, access”, or “Who can access files on UK-based customers?”
And while it sounds daunting, it doesn’t need to be a long and painful process. Especially if you’re familiar with Attribute Based Access Control (ABAC), which allows your organization to not only manage who does what and under what conditions, but also also prove it to auditors both from a user- and a document-centric access control perspective.
You can discover more about ABAC and compliance here. Personally, I expect more and more US companies will adopt this technology in the coming years, if nothing else just to uphold auditors’ and compliance officers’ sanity.
Oh, and if you want to get the lowdown on fine-grained access control and Safe Harbor, visit the dedicated Safe Harbor section of our site.