EU-US Privacy Shield Still Not Protecting Your Privacy
Full text of the new draft EU-US Privacy Shield was released February 29th but has not been signed yet. They have made some changes from the previous Safe Harbor Agreement. While some are good improvements, some seem to have not changed how our data is handled at all. A conclusion on if the draft agreement will be acceptable should be made by mid-April to the end of April.
History: Safe Harbor Agreement
Before going in to the Privacy Shield here is the history of why we needed a new agreement between the European Union and United States. In an earlier blog, Safe Harbor Ruled Invalid, How it Affects You, we talked about the invalid ruling of the Safe Harbor Agreement and how it affected businesses and consumers. So here’s a little history on the old Safe Harbor Agreement:
The European Union (EU) and the United States (US) established the Safe Harbor Pact in 2000. This allowed businesses to legally funnel info across the Atlantic. Common data storage and transfers might include global commerce, sending and receiving emails, and even posting on social media. US companies can “self-certify” that they meet the stricter European privacy standards.
In early October of 2015, the European Court of Justice found the US approach to domestic surveillance and absence of legislation governing certain privacy rights was not up to European standards following a case brought by an Austrian student Max Schrems. The EU then made the Safe Harbor pact invalid. They believe the US has compromised their data and would like for some changes to happen to ensure the US is not spying on their citizens.
While there are some improvements to the Trans-Atlantic data transfer deal many say it does not differ much from the original Safe Harbor and does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law.”
Key Positive Takeaways:
[space10]Citizen and Company Complaints
The new agreement gives companies and citizens the chance to complain and dispute any mishandling of records and personal information. Governments must resolve such complaints within 45 days or use a free “alternative Dispute Resolution”.
An ombudsman is a public advocate representing the interests of the public by investigating and addressing complaints. An ombudsman within the US State Department will handle any allegations of privacy violations.
Key Negative Takeaways:
[space10]Collecting Data in “Bulk”
In a Press Release from February 29th the European Commission states there will be “no indiscriminate or mass surveillance by national security authorities.” But then is contradicted by this:
- Detecting and countering certain activities of foreign powers
- Detecting and countering threats to US or allied armed forces
- Combating transnational criminal threats, including sanctions evasion
US Judicial Redress Act
In addition to the Privacy shield, President Obama signed the U.S. Judicial Redress Act on February 24th that will “give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. ” […] The Judicial Redress Act will extend the rights U.S. citizens, and residents enjoy under the 1974 Privacy Act also to EU citizens.”
At first that sounds good. After further research on the Privacy Act of 1974, many believe that the Privacy Act is “worthless”, with similar views from the Electronic Frontier Foundation (EFF),. There are many exceptions including 32 CFR 322.7 which exempts the NSA from rules of privacy on records maintained on individuals, according to 5 U.S. Code § 552a.
“Essential Equivalence” Non-Existent
One of the most important parts of changing this agreement was to have “essential equivalence” of European data protection in the US. Max Schrems points out that this deal falls short:
“The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law.”(TechCrunch)
Privacy Shield Certified
Under the Privacy Shield a business can become ‘certified’ to establish “adequate” protections for Trans-Atlantic data transfers. While this helps to protect your business from data transfer problems, it does not protect you completely.
The new agreement allows Data Protection Authorities (DPAs) to suspend data flow regardless of a business being Privacy Shield Certified. This would mean you cannot secure continuous data flow for your company.
The EU-US Privacy Shield still needs to be approved by the EU’s WP29, also known as the Article 29 Working Party, and from the privacy issues others have already found in the draft it does not seem likely it will be approved.
“They tried to put 10 layers of lipstick on a pig, but I doubt the court and the DPA’s now suddenly want to cuddle with it”
Many large organizations – specifically labor unions – struggle trying to keep their member data updated and accessible. Without a centralized database, the most up-to-date vital pieces of information often find their way into a collection of personal spreadsheets and sticky notes rather than somewhere useful.
But what makes a centralized database somewhere useful in the first place? Let’s take a closer look at a few of the benefits and let you decide for yourself.
Easily Remain Compliant with Ever-Changing Government Policies
It’s no secret that our government changes the rules – frequently. Labor unions in particular have witnessed Right-To-Work laws changing the way they collect dues in a growing number of states since the 1940s. A centralized database can help to highlight which members live in Right-To-Work states. This then allows leadership to enact separate collection policies depending on each state’s individual requirements.
Whether you’re selling books or tracking dues payments, a clear and complete audit trail can be a life saver in the case of a government audit, but there are less obvious benefits as well. Not only can member systems track financial information, but also any changes to the member data itself. Need to know when a member’s address changed? An audit trail can provide not only when, but also who – and in some cases why.
A centralized database means that every member has exactly one record. It becomes much simpler, for example, to update a member’s address if there is only one record to update. Imagine if an organization stored member data in a collection of spreadsheets or locally stored Access databases. It might take hours to locate and update every instance of a member’s address. Even then, it throws the door wide open for mistakes, causing endless frustration for the unfortunate member who can’t seem to get a bill mailed to the correct address.
The example we’ve seen time and time again is when an employer sends over a spreadsheet of their current union employee data. The local must then go through the spreadsheet and look for edits. Local reps seldom send these edits on to the district or national level. This lack of data integrity creates wasted postage for returned items and an even bigger issue of member disconnect.
Consistent Member Experience
Maintaining an internally accessible member database fosters a much more satisfying experience for members throughout your organization. Union reps can store notes on a member’s account which the next person who assists that individual can see. Members end up feeling far less frustrated when they don’t need to re-explain themselves with every interaction.
Most modern database solutions allow for integration with your website or mobile application. Data gets fed directly into the database where it becomes instantly available to the entire organization. Once set up, member data systems accept updates directly from the web – often from the members themselves.
Additionally, union reps can collect and update member information at special events and trade shows this way using nothing more imposing than a tablet. Our company recently did this for a union client at their constitutional convention. Dozens of members discovered that their contact information was out of date with their union. Members simply updated their information on the tablet. Within minutes, their contact information synchronized across to the national, district and local levels.
Easier Training of Office Staff
With a single data entry and maintenance system, the learning curve for new hires is greatly reduced. The “write this in this notebook”, “make sure you forward this onto”, and “what was that spreadsheet named” headaches go out the window. Just login, update the information and everyone has access to the same updated information.
It may seem counterintuitive, but it is actually much more secure to have one centrally located source of information accessible throughout an organization. In the same way it is easier to patch a hole than a net, having one point of failure allows you to build multiple layers of security around it, knowing your members’ data is safely stored within. In case a breach does occur, damage control can immediately kick into gear since the audit trail and server logs tell us exactly what happened.
Although it may be easy to imagine that centralizing the data and making it accessible (to the right people) online makes it a target, the alternative often falls to far less attractive options. In spreadsheet offices, for example, it is not uncommon practice for sensitive data to end up on laptops. Employees then transport these laptops off premises, and into a world where laptop theft occurs every 53 seconds. Furthermore, when laptops go missing, it’s often difficult or impossible to know what exactly was on it. Organizations can easily lock a staff member’s account out of a central database in case of laptop theft.
Yes, We Need a Member Data System
If you found yourself nodding your head yes while reading this article, then it likely is time to move forward with a member data system. Appletree MediaWorks is an experienced firm in this field. We offer a flexible member data system product to our union clients. Our employees are union members too, so we understand your organization’s needs. Whether you’re a small local or a national union, Appletree Media is happy to help you get your member data organized with an affordable solution that will grow with your organization.
Don’t miss the 2nd article in this series where we discuss systems to integrate with your member data system. These include: member dues, certification tracking and contract management.
Set your mind at ease and back up your files now.
One of the most important (but also the most neglected) areas of computing is backing up your data. Most people assume they’re safe because they’ve never experienced a disaster in the past, but they are sadly mistaken. It’s not a matter of if, it’s a matter of when. Laptops get wet, hard drives die, viruses are caught, tablets are stolen, at some point you will be kicking yourself if you neglect the important task of backing up your data.
What does it mean to “backup?”
“Backing up” refers to the copying and archiving of computer data so it may be used to restore the original data after a data loss event. When a computer user backs up their data, they are storing a copy of their information in a safe and secure place. There are many options when it comes to backing up your data, and most of them are reasonably priced.
Why is backing up important?
Backups protect you from hardware failure, viruses, theft, accidental deletion, fires, floods and other disasters. If you were to experience any of these events without first backing up your data, you run the risk of losing all your work and important files. It is suggested that you have at least two off-site backup copies of your data; however, many people get by with just one.
What products are recommended for making backups?
1. Subscription Backup Services
There are many services out there to assist businesses and individuals in backing up their data, often with only a few clicks of the mouse. Carbonite boasts that they are automatic, secure, and affordable with plans starting at $59 per year. Many of our clients have also been happy using Mozy for their backup vendor. Another great service is Crashplan, whose plans start at less than $20 a year.
2. Cloud-based Document Storage Services
For documents that you are constantly using and changing, you may want to consider a cloud storage option, such as Google Drive or Dropbox. Both of these options offer two-step verification for added security, as well as a small amount of free storage. More storage space is also available for purchase from both of these vendors.
3. Self-service Storage
If a paid service doesn’t fit your budget, you can also backup your data yourself. Technology retailers have storage devices available for purchase and you can talk to a customer service representative to decide which storage device is right for you. The only downside to this is, of course, that you have to actually remember to back up your data on a regular basis.
How do website vendors protect your data?
Our staff here at Appletree MediaWorks, LLC has seen viruses take out websites before, we’ve seen malicious activity cripple a site and we’ve seen website plugin updates wreak havoc on entire websites, but in the end it all came down to restoring the website and databases from backup. We keep your website and databases backed up nightly and the information is always stored in a safe place. As for the rest of the data and pictures on your personal computer; please see our advice above or give us a call, we’d be happy to one of our developers help you setup a backup plan.
Then you won’t have to ask the question, how do I recover my data after a computer crash?