Category: Data security

Not so Safe Harbor: EU-US data protection cooperation on the rocks.

cameraAfter the Snowden relevations, the European Union is finally getting its data privacy act together and it looks like a brutal fight is ahead, possibly leaving global corporations’ reliance on the longstanding safe harbor provisions, standard clauses and consents listing somewhere mid-Atlantic.

Here’s the EU Commission VP & Commissioner for Justice, Fundamental Rights and Citizenship Reding on Safe Harbor at the Vilnius Informal Justice Council 19 July 2013:

The Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.

The Safe Harbor agreement enables data to be transferred from the EU to the US. The Safe Harbor framework was developed by the US Department of Commerce, in consultation with the Commission, industry and non-governmental organisations to provide US organizations with a streamlined means of satisfying the Directive’s “adequate protection” requirement.

The Commission is working on an assessment which it will present before the end of the year. We can only hope that the US realizes what a hole it’s dug for its tech companies before then. Quick and decisive action is needed but nothing is coming from either the Obama Administration or the US Congress.

Is Google Analytics Illegal?

Today the Norwegian data privacy authority declared that it considers the use of the Google Analytics tool by the national tax administration and the educational loan fund illegal.

Their argument is relatively clear. The public agencies apparently accepted Google’s standard terms of service which allows it to use IP addresses of tax and education fund users to provide other services. Moreover, if the user is logged into a Google services at the time, Google will also be able to identify the user.

While Norway is not an EU Member, it is a member of the European Free Trade Area and its data protection legislation closely tracks the EU’s, which makes this finding somewhat disconcerting. In fact, since IP addresses collected the agencies are sent to Google for processing, Google becomes an undeclared “data processor”, in clear violation of the law.

I can understand how this might happen since Google makes it simple (and tempting) to adopt Analytics to follow traffic on your site and people in the agencies’ IT departments therefore had a free alternative to going through a public procurement process to acquire a similar service that would properly treat the personal data.

Bottom line, there’s no free software out there. Second bottom line, hire a lawyer to train your IT department in the basics of data protection law.

The human factor: Dassault nEUROn drone blueprints stolen.

In an incident right out of a Bond film, Le Parisien newspaper reported Wednesday that documents related to Dassault Aviations’s nEUROn stealth drone were stolen at Paris’ Gare du Nord train station.

The theft was carried out using a common pickpocket distraction technique where one of the executives carrying the documents quit a ticket queue (and left his briefcase) to come to the aid of his travelling companion who was being harassed by a vocal young man. When he returned, his briefcase was obviously gone, probably on its way to a competitor.

Dassault Aviation PR says no sensitive documents were taken.

This scenario is ripe for addition to a training deck on document management and how to behave in public. It’s a shame for Dassault but I’m sure their compliance department is having fun debriefing all concerned.

Photo: Dassault Aviation.