Essay
Short papers: Explain, contrast or compare the subject – 3-5 pages not including your name, class ID and header information – single spacing, normal margins, use 12 pt font Times New Roman- reference what isn’t yours please using MLA citation- Failure to adhere to the formating and page length requirements can mean a loss of up to 25 points.
Subject: Describe and reflect on the importance of cloud computing, such as: What is cloud computing? What are the different types of cloud platforms? How do they work? How is cloud computing changing the way we look at information and how we do business? How is the government approaching the use of cloud computing? What, if anything, is the government doing to secure cloud for the government data? What is the Federal Risk and Authorization Management Program (FedRAMP)? Why is FedRAMP unique, what does it do, and why is this important? How does FedRAMP create a baseline of security for cloud proverds? How is this baseline enforced? Do you think that we need this kind of program to secure our government data? Tell me your thoughts…
Runninghead: THE EU-US SAFE HARBOR LAWS 1
The EU-US Privacy Shield Program /Safe Harbor Vs. US privacy laws
Mohammed Alahmadi
CSUSB
10/13/2019
THE EU-US SAFE HARBOR LAWS 2
The EU-US Privacy Shield Program /Safe Harbor Vs. US privacy laws
The world of privacy and data protection rests on a paradox that pitches the pressing
issues that are fundamental to the fate of Privacy Shield. The onset and realignment of trade and
all business activities towards the internet marked the inception of the need to develop a
framework for steering the flow of data between the United States of America and the European
Union in a bid to enhance economic growth and development between the two regions. The
transformations in the data mining tactics and the existence of significant gaps in the protocols of
America and the EU called for the renegotiation of the Safe Harbor Agreement, which led to the
development of the new Privacy Shield (Weiss & Archick, 2016). While most arguments
associate the Safe Harbor Agreement/Privacy Shield with the provision of permission to
organizations and businesses to collect and use personal data, its prime role was to accord
maximum level of protection for the American and European citizen’s information.
The EU-US Privacy Shield Program /Safe Harbor Laws
Developed in the year 2000 to aid the transactions by companies and organizations, the
Safe Harbor Agreement was an obligation towards safeguarding the privacy rights of people by
using their data within the realms of the guidelines. The European Union and the United States
established the framework as a collective understanding due to the differences in their data
confidentiality approaches and legal systems. While American laws allow for the gathering and
processing of personal data, except in situations expressly restricted by the regulations, the EU,
on the other hand, prohibits such activities and has a clear legal basis that permits the
dispensation of personal information. Moreover, in the EU, “protecting personal data is a
fundamental human right,” developed and published in a Charter binding all the member states.
The treaty of Lisbon reflected and incorporated the “Fundamental Rights of the EU in 2007.”
Consequently, the stringent data privacy demands of the Europeans emanate from the EU’s
experience with the totalitarian and fascist systems (Weiss & Archick, 2016). Therefore, in the
drafting of the Safe Harbor Agreement, the EU had to front its concerns over the ideological
differences between the region and American attitudes towards data privacy.
Under Safe Harbor, American companies had to comply with a set of fundamental
principles depicting the requirements deemed essential for achieving the adequate data privacy
standards of the EU. For instance, a company must issue a notice that informs the target audience
about the reasons for collecting and using their information as well as providing a framework of
contacting the firm for inquiries and third-party information disclosure cases. An organization
must also grant users the choice to opt-in and out and determine whether they allow third parties
to access their information. In situations demanding highly private data, a person must explicitly
sign in to enable the transfer of data to a third party. Such info includes race, religion, ethnicity,
membership of trade unions, and sexuality of an individual. Under onward transfer, companies
must utilize the guidelines embedded in the issuance of a notice and the choices made by the
clients. Therefore, third parties must uphold the same integrity because they serve as agents that
enter a contract with an organization operating under Safe Harbor (Weiss & Archick, 2016). The
creation, maintenance, use, and dissemination of personal data must utilize legal precautionary
procedures that protect the information from loss, misuse, and any unapproved access.
THE EU-US SAFE HARBOR LAWS 3
Organizations must also ensure that information collected and held serves only the
relevant purposes, thereby upholding the integrity of the data by acquiring current and complete
information for use. In doing this, the clients must also have access to information about them
held by the organization. They have the liberty to amend the information. However, Safe Harbor
has limited authority in situations of national security, public interest, and law enforcement
demands.
The Privacy Shield Agreement, on the other hand, addressed the issues of data protection
emanating from contemporary data privacy and breaches across the EU nations and the USA
between 2005 to 2015. Therefore, American firms aiming to import personal data from countries
under the EU must commit to a wide range of obligations on how data security and protection is
guaranteed. For instance, such companies must issue a detailed notice obligation with limits on
data retention and descriptive rights of access to the information alongside transferability and
enhanced security demands. The new agreement also has clear transparency obligations in line
with written assurances from the United States Department of Justice on the limitations and
oversight mechanisms of data transfer and utilization. Every EU citizen has a right to seek
multiple redresses in a bid to enhance adequate data protection and development of systems that
impede the pilferage of information.
American Data Privacy Regulations
The United States of America does not have single legislation for individual principle
data protection initiatives. It has a collection of regulations that empowers the Federal Trade
Commission to protect American residents from deceptive activities. The federal laws are sector-
specific, and each State can impose restrictions on organizations on the collection, processing,
and the disclosure of information. The data protected by such regulations include biometric data,
health records, addresses, social security statistics, and education records. The American
constitution did not have the concept of privacy as its government utilizes the laissez-faire
system that grants people and businesses an autonomy in the markets (Movius & Krup, 2009).
The government only intervenes using sector-specific statutes to bail a failing industry because it
serves the role of a latent ruler. America understands the relevance of privacy protection in
steering e-commerce development but left it to self-regulate within businesses in different
industries.
The American approach differs from the EU’s opinions on data privacy, where it is the
government’s responsibility to protect the citizens as a fundamental human right. However, after
the 911 attack and the development of the U.S. Patriot Act, America ventured into investigative
activities that redefined the country’s approach to personal data privacy rights (Movius & Krup,
2009). The Patriot Act only focuses on detecting and preventing terrorism as it grants law
enforcement officials the authority to monitor people’s activity on the internet through advanced
technologies.
Nearly every data protection law in America is statute-specific, and the country does not
have any registration formalities and prior approval guidelines for businesses. It is also optional
to appoint a data protection officer in America unless demanded by specific statues in
compliance with the Health Insurance Portability and Accountability Act laws. The United States
of America does not have limitations on the transfer of its citizens’ information to international
THE EU-US SAFE HARBOR LAWS 4
jurisdictions. Therefore, it is the responsibility of each company to determine the type of contract
or the nature of the activity to do with the data. However, institutions importing data from
countries under the EU block must adhere to the EU-US Data Privacy Shield Framework.
However, America treats the data security breach with the same level of seriousness as
the EU-US Data Privacy Shield Framework. It can enforce laws and sanctions against
organizations and companies exploiting its lenient laws for the advantage of other nations while
defrauding its economy.
The Importance of the Data Privacy Frameworks and their Impact on American
Companies Doing Business Abroad
America’s approach to data security gives firms the chance to invest in the country and
grow its economy without restrictions. Such autonomy makes it easier for organizations that
require personal data to enter the market and start their operations. At face value, it is a feasible
and well-structured approach. However, the laissez-faire approach of the government on data
privacy cannot allow firms to take advantage of the citizens. Entering the free market may be an
easy venture, but each industry has specific statutes that regulate the activities of businesses.
Consequently, each State in America functions as a separate entity guided by the federal
laws on data protection policies. Therefore, each state and a few protection and compliance
organizations set the guidelines for the self-regulating markets. Local companies also enjoy the
privilege of protection from unfair competition by international firms aiming to explore and
exploit the American industries. The United States of America’s hard stance on data breach also
mitigates the likelihood of data exploitation by international firms deeming the citizens as a
prospect market.
Complying with the EU-US Privacy Shield grants American firms the mark of integrity
as membership guarantees adequate data privacy protection. For instance, if a company faces
allegations of a data breach in the United States of America, the EU can verify the case and
reaffirm to the public, the safety of their data. The pre-approval and compliance requirements are
also clearly defined and cost-effective, thereby favoring both the small, medium and large-sized
multinational businesses. With the tremendous paradigm shift in privacy demands for businesses,
existing and relying on free markets, such as that of the United States of America, exposes a
company to numerous data breach risks. Enterprises opt for the EU-US trade relationships to
capture the attention of customers and create value for themselves, which brews trust and loyalty.
Having the EU-US Privacy Shield and the American privacy laws in place is of great
importance to the American companies. Within their homeland, these businesses enjoy the
loyalty and support of the citizens, and beyond the borders, they gain authenticity and integrity
from complying with the EU-US data policies. It can be challenging to outcompete the firms on
all grounds because America is an economic powerhouse with the business spillover effect that
labels its products trendy and the best in the market. Most consumers will prefer American goods
because of the history of the reviews available online or the celebrities associated with the brand,
which emanates from the country’s stringent regulations on quality. Therefore, most of the
American brands opt-in the EU-US Privacy Shield for integrity and to expand their customer
base, which translates to a double-gain for the firms.
THE EU-US SAFE HARBOR LAWS 5
References
Movius, L. B., & Krup, N. (2009). US and EU privacy policy: comparison of regulatory
approaches. International Journal of Communication, 3, 19. Retrieved 14 October 2019,
from https://ijoc.org/index.php/ijoc/article/viewFile/405/305.
Weiss, M. A., & Archick, K. (2016). US-EU data privacy: from safe harbor to privacy shield.
Retrieved 14 October 2019, from https://fas.org/sgp/crs/misc/R44257
Moreno1
Moreno Oscar
IST 415 Security Systems Management
Professor Brough
13 October 2019
Safe Harbor/Shield and US Privacy Law
Security and privacy laws differ between countries and states. Organizations worldwide
need to navigate through many laws and comply with many different sets of laws otherwise there
will be a loss in revenue or severe financial loss. Thus, organizations must navigate carefully and
most importantly thoroughly research the location a business is currently set on establishing
themselves in. In addition, agreements between nations also help set a distinct set of regulations,
establishing the rules needed to protect how data is transferred and the type of data allowed to be
transmitted across borders. All in order to ensure the most adequate privacy possible between two
foreign nations. Without an effective guide, companies may take advantage of people where
privacy laws aren’t implemented or make it too restrictive, making it so that companies are unable
to conduct business.
The Safe Harbor program is an agreement between the U.S Department of Commerce and
the European Union that aims to protect the privacy of its nations. However, it is no longer active.
The program regulated how personal data of European citizens would be handled by U.S
companies. The agreement required companies to inform people their personal data was being
collected, inform users what it would be used for, receive permission to transmit data to a third
party, provide a way for people to access their data, provide necessary data integrity and security
controls, provide the ability to correct or delete information, and provide mechanisms to handle
complaints. However, in 2015, the European Court of Justice declared the safe harbor agreement
between the United States and the European Union invalid due to a major flaw in this system. This
flaw allowed third parties to access information without notifying users that their information was
being used and held by an unknown entity.
In 2016, the EU-US Privacy Shield Program was approved by the European Commission
as a replacement for the now invalid Safe Harbor program. In the period between the Safe Harbor
Program being declared invalid and the Privacy Shield Program being developed, a period existed
in which companies were left in a state of limbo, concerned with how they should proceed without
a privacy law. After the approval of the Privacy Shield Program U.S companies were now required
to meet seven requirements for the processing of personal information such as informing
individuals about data processing, providing free and accessible dispute resolution, cooperating
with the department of commerce, maintaining data integrity and purpose limitation, ensuring
accountability for data transferred to third parties, transparency related to enforcement actions, and
Ensuring commitments are kept as long as data is held. This program is important because it
protects the privacy of EU citizens from foreign entities. The EU was concerned with the U.S
having excessive access to European data and an inability for citizens to address those concerns
formally.
Moreno 2
The EU-US privacy Shield Program and the Safe Harbor program share many similarities,
however a major difference between the two is that the EU-US privacy Shield program sharpens
its focus on individual rights for EU citizens. It demands stricter rules for U.S businesses, while
also restricting the U.S government from accessing personal information. The Safe Harbor
program only required an organization provide notice and a choice to consumers before sharing
information with a third party. An exception was enforced by the Safe Harbor Program which
allowed third parties to receive personal information without a notice or providing a choice to
individuals if the organization were acting as an agent under the third party. This allowed data
from EU citizens to be transmitted and held by many more organizations than what they had
thought, and with having no absolute control with who the information is shared with the Privacy
Shield Program formed as a result of this loophole. With a new program currently implemented,
any third party must now comply with the principles held by the Privacy Shield protection program
at the same level as the original organization.
The European Union and the United States have a different methodology on how to
approach privacy laws. The EU shares a single unified and robust set of laws called General Data
Protection Regulation (GDPR). While the U.S has privacy laws that are not all encompassing, but
instead are sector specific, with even some states implementing more robust privacy laws than
what is available nationwide. Privacy Shield is an agreement between the EU and US that if met,
is deemed to have adequate protection and in compliance with not only Privacy Shield but also
meeting the requirement for data transfer for the GDPR. Federal privacy laws in the U.S regulate
different sectors such as the HIPPA (healthcare), FISMA (Federal), NIST (non-federal), and
GLBA(Finance). Much is left to be desired in the form of privacy laws in the U.S compared to the
EU. Some states such as California meet the standards set by the GDPR. In 2002, California
became the first state to pass SB 1387 which required the state to immediately disclose to
individuals’ breaches of personal identifiable information. And in 2003 California implemented
the California Online Privacy Protection Act of 2003. CALOPPA applied to any person or
company globally whose commercial website or online services collected personal information
from California residents. It required that a website feature a privacy policy stating what
information is collected and who it will be shared with. This is like the Privacy Shield Program;
both require an organization to notify individuals of what information is collected and specifically
who it will be shared with. But laws such as CALOPPA and SB 1387 aren’t immediately adopted
by all states and only applies to states that accept is as law. Unlike the EU which operates in a
unified manner in the way they implement their privacy laws but also in how the laws are
structured.
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) enforces strict
guidelines to the Healthcare sector in order to secure personal health information. This law is
important because it protects individual’s privacy and results in better quality of care. HIPPA
produces secure and shared medical information so that medical professionals can make the best
assessments for their patients. The act regulates the healthcare sector, protecting individual’s
personal privacy or personal health information. This is important because it protect patients from
embarrassment, job discrimination, and potential denial of insurance. Children’s Online Privacy
Protection Act of 1998 (COPPA) is sharing a significant number of rules with the Privacy Shield
Program except it only protects children’s privacy. One such rule is that websites must have a
privacy notice that defines the type of information collected and what its purpose is, and if any
information will be disclosed to third parties. In addition, the notice must include contact
Moreno 3
information for the operators of the site catering to children. Privacy Shield Program shares the
same requirement only it isn’t just for websites catering to children but expanded to protect all
citizens in the EU. Another requirement is that parents must be given the opportunity to review
any information collected on their children and provided the opportunity to permanently delete
their child’s information from any organization’s record. This requirement is the same rule in the
Privacy Shield program regarding having the ability to remove or correct personal information
from an organization record. Except, for COPPA unlike the Privacy Shield Program is limited to
children.
Gramm-Leach Bliley Act of 1999 (GLBA) aims to protect personal information and the
privacy of individuals. This act regulates and puts strict governmental barriers between financial
institutions to protect the people. GLBA severely limits the ability for banks, insurance companies,
and credit providers to share information with each other, most specifically private and financial
information from clients or individuals. Another requirement regarding GLBA is that these
organizations must explain how they share and protect customer information. In addition, GLBA
must give individuals the ability to opt out from sharing information to third parties. The Privacy
Shield program also requires all organizations not just financial organizations to provide users this
information and be given an ability to opt out.
Another specialized privacy law implemented in the U.S is the Family Education Rights
and Privacy act. FERPA affects educational institutions that accept funding from the federal
government. Publicly funded schools grant privacy rights to students eighteen years or older, and
to parents of minors. Parents and Students may inspect any educational records maintained by the
institution and given the right to correct any mistakes on record. In addition, A school can only
release information under special circumstances otherwise the institution must not release any
information of any individuals without any prior consent. This act is like many of the laws, and
programs previously mentioned. Individuals must be allowed to view and correct any information
regarding them, and consent is required to share information. Unlike European privacy law being
unified and applied comprehensively, this law among many other privacy laws in the U.S are
localized to a single sector.
Privacy laws affect how businesses operate, and the nature of their relationships with other
organizations and whom they conduct business with. Ultimately, the nature of business is changing
and many of its operations are conducted through the internet, reaching a global audience isn’t
unheard. An organization needs to be aware of privacy laws across the globe and comply to the
laws required to conduct a business legally. Any large U.S organization is more likely than not
conducting business in multiple foreign jurisdictions, and without a unified worldwide agreement
privacy laws could be tricky to traverse through for an organization. It can be confusing to concern
yourself with every single law around the world, however a simple solution to this is for an
organization to adopt a very restrictive set of procedures that complies with all regulations. It is
not only important legally speaking to secure the privacy and personal information of your
customers as a business but it also very important to respect the information provided by
individuals. An organization caring for the privacy of its users can attract more customers than
competitors but developing a trusting relationship with its users. In the end, failing to comply to
regulations can cost a business its whole operation or leave it unable to conduct business in that
region.
Moreno 4
Works Cited
Carron, Christine A., and Martha A. Healey. “Privacy Laws and Regulations around the Globe:
the Impact on Doing Business Internationally.” Lexology, 3 Nov. 2009,
www.lexology.com/library/detail.aspx?g=2fe09e32-56cc-4ffb-a75f-0ba3d96b4e6b.
“GDPR vs Privacy Shield.” GDPR vs Privacy Shield, www.privacytrust.com/privacyshield/gdpr-
vs-privacy-shield.html.
Owen. “How Does Safe Harbor Compare to the EU-US Privacy Shield?” OTAVA, 11 Apr. 2019,
www.otava.com/reference/how-does-safe-harbor-compare-to-the-eu-us-privacy-shield/.
Rouse, Margaret, and Matthew Haughn. “What Is Privacy Shield (EU-US Privacy Shield) –
Definition from WhatIs.com.” WhatIs.com, Feb. 2017,
whatis.techtarget.com/definition/EU-US-Privacy-Shield.
STEWART, JAMES M. CISSP: Certified Information Systems Security Professional Study
Guide. WILEY-SYBEX, 2018.