In early October, 4,200 companies that have been certified under the U.S. Safe Harbor Framework as having developed processes and procedures to protect the private information of EU citizens were told that their certifications were invalid. Privacy experts have been scrambling to give them advice on next steps, which include utilization of model contractual clauses relating to individual data transfers, or implementation of binding corporate rules requiring the approval of an EU Data Protection Authority, which can take up to a year to accomplish. Whether these actions will also be considered invalid along with the Safe Harbor framework is not clear. However, since both allow for an individual’s ability to question a company’s compliance with the EU privacy directive, it is more likely that they would be considered adequate.
While recently wandering side streets of London and Paris, I noticed “the cloud” being offered in small storefronts alongside cafes offering baguettes and cappuccinos. The ubiquitous and trusting adoption of this intangible data-storage solution as organizations scramble to protect apparently sacred private information collected from the same individuals buying these cloud services is remarkable. Organizations are simultaneously tasked with addressing burgeoning costs of litigation and other consequences of excess data storage seemingly being alleviated by the cloud.
With the tsunamic rise in information growth in the past few years,[i] managing ever-increasing formats and sourcing has become increasingly difficult. The complexity has resulted in newly defined C-level participants (e.g., data officers, chief information officers, chief technology officers) tasked with putting electronic data in order. Riding a forceful wave of growth, they attempt to control what is defined as their domain, often putting out fires as data growth leads to potential liability in courts of law or through government-agency enforcement.