In recent news, the EU and US are to begin talks on data privacy as it relates to personal data security. Why? Isn’t online security getting more and more robust? Isn’t transacting online business a safe practice that needs no additional worry on behalf of the consumer?
The answer to those questions, in general, is a resounding “yes”. However, online fraud in the EU is dropping while the US is experiencing a surge in fraudulent online activity. Europeans are obviously concerned and, as outline in a recent article, EU citizens are concerned that Washington is not providing enough oversight to properly safeguard data. Both EU payment card standards and the often more stringent data privacy laws in the EU contribute to the lower percentage of fraud in the EU.
PCI DSS 2.0 requires US eCommerce vendors to ensure that the data they store or transmit is secure and private. Safe Harbor principles require that a US company meet 7 data privacy standards in order to store the data of EU citizens. The problem is that companies only need self-certify to be eligible for Safe Harbor while many US eCommerce vendors must go through a rigorous process to obtain PCI certification. Depending on the company, PCI DSS 2.0 rules can be more strict and demand that US companies meet higher standards than necessary to meet Safe Harbor guidelines.
So is Europe right to be concerned? You bet they are. What is needed is a revamping of Safe Harbor guidelines to help protect the data of EU citizens that is maintained in US systems. Safe Harbor is a set of guidelines originally developed by the European Commission and the US Dept. of Commerce. One of the original drivers for Safe Harbor was to make it possible for US business to continue to transact business with European customers with as little disruption as possible to business processes. Experts in the EU like Leo Van der Wees (a scholar at the Tilburg Institute for Law, Technology and Society at the University of Tilburg), are now advising that European companies think twice before engaging with a US partner that claims to meet Safe Harbor guidelines. Perhaps it’s time for both the US and EU to rethink the current Safe Harbor strategy of “easing process before ensuring privacy.”