– Son, either with this or on this.

Legend has it that Spartan mothers send their sons off to war with this blunt admonition. Either return home safely with your shield, showing that you did not run from battle, or be carried home on the shield. Cultural expectations for success thus were rather clear.

One of the more interesting aspects of the titanic cybersecurity struggle underway around the world lies in cultural expectations over the security of individuals’ personal data. This issue has been playing out in very public fashion over the past few months as the United States and the European Union (EU) negotiated an agreement on how data belonging to European citizens must be protected by U.S. companies that handle that data. Since 2000, the framework for protecting the data lay in what was termed the Safe Harbor agreement. Basically, the agreement required companies that collected personal data to inform people their data was being gathered, tell them what would be done with it, obtain permission to pass on the information to a third party, allow people access to the data gathered, ensure data integrity and security, and offer a way to enforce compliance.

All this fell apart when an Austrian privacy activist filed suit challenging the legality of Facebook’s handling of his personal information under European privacy law. As the suit played out it became increasingly clear that European nations were much more concerned about privacy than were many U.S. actors. The Safe Harbor agreement allowed for self-certification, enabling U.S. companies to self-certify that they would comply with EU data protection standards to allow transfer of European data to the United States. More than 5,000 companies did so.

The fly in the ointment was that while U.S. companies might certify that they were following Safe Harbor Principles, U.S. law made it possible for U.S. law enforcement and national security agencies to access data presumed protected by Safe Harbor. That smoldering issue ignited when former National Security Agency (NSA) contractor Edward Snowden made clear that the NSA had a thriving global surveillance program. The lawsuit that led to the demise of the Safe Harbor agreement was premised on the assertion that Facebook was not protecting users from the NSA’s mass surveillance program. In October 2015, the EU’s highest court, The European Court of Justice, essentially agreed with that assertion, finding the Safe Harbor agreement was not serving the purpose for which it was created.

Last week, the United States and the European Union announced a provisional agreement that creates “The Shield,” the successor to Safe Harbor. Read the fascinating back story on the creation of The Shield here. But, this will not be the end of the story. Europe will continue to be far more aggressive in protecting its citizens’ data than will the United States. It is a decided cultural distinction that will continue to have profound consequences. The Shield in whatever form may be seen as inadequate for fending off attacks on data privacy, and find its way back to the European Court of Justice.

Unlike ancient Sparta, expectations for success are not altogether clear. What is even more likely is that ever more restrictive approaches to data transfer and handling of European data will become the practice. U.S. companies should note this likelihood, as should companies around the world that will do business with the European Union. For multinational companies, privacy issues will become ever more challenging from both a compliance and customer expectation perspective.

By Tom Davis, SDI Cyber Risk Practice
February 9, 2016