1-888-MSECURE

Solutions - Directive 95/46/EC Security/Compliance

In 1998, the European Commission implemented EU Directive 95/46/EC, which is more commonly known as the “data protection directive”. The directive is designed to protect the privacy and protection of all personal data collected for or about citizens of the European Union, especially as it relates to processing, using, or exchanging such data. Directive 95/46/EC encompasses all key elements from article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence. The Directive is based on the 1980 OECD “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”

The seven principles governing the OECD’s recommendations for protection of personal data were:

  • Notice—data subjects should be given notice when their data is being collected;
  • Purpose—data should only be used for the purpose stated and not for any other purposes;
  • Consent—data should not be disclosed or shared with third parties without the data subject’s consent;
  • Security—collected data should be kept secure from any potential abuses, theft or loss;
  • Disclosure—data subjects should be informed as to who is collecting their data;
  • Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  • Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles

In the context of the Directive, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2a). Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link. Examples of such data include address, bank statements, credit card numbers, etc. Processing is also broadly defined and involves any manual or automatic operation on personal data, including its collection, recording, organization, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction (paraphrased from Article 2b).

These data protection rules apply not only when responsible parties (called the controller in this EU directive) is established or operates within the EU, but whenever the controller uses equipment located inside the EU to process personal data. Thus, controllers from outside the EU who process personal data inside the EU must nevertheless comply with this directive. EU member states set up supervisory authorities whose job is to monitor data protection levels in that state, and to advise the government about related rules and regulations, and to initiate legal proceedings when data protection regulations are broken. All controllers must notify their governing authority before commencing any processing of personal information, and such notification prescribes in detail what kinds of notice is expected, including name and address of the controller or representative, purpose(s) of the processing, descriptions of the categories of data subjects and the data or categories of data to be collected, recipients to whom such data might be disclosed, any proposed transfers of data to third countries, and general description of protective measures taken to ensure safety and security of processing and related data.

U.S. – EU Safe Harbor Framework

To provide a streamlined process for U.S-based organizations to continue transatlantic data flows, the Department of Commerce, the Federal Trade Commission, and the business community engaged with the European Commission to issue the U.S.–EU Safe Harbor Framework in 2000. Safe Harbor is a voluntary, self-certification program that exempts companies from the liability they would otherwise risk, while simultaneously providing savings that would accrue from streamlining operations. U.S. organizations obtain this exemption by self-certifying that they adhere to the Safe Harbor privacy principles and will abide by the requirements for dispute resolution by a third party.

Federal oversight of the Safe Harbor process is provided under section 5 of the Federal Trade Act of 1934. Under this authority, the Federal Trade Commission (FTC) investigates allegations of deceptive and unfair trade practices. Although self-certification is voluntary, failure to adhere to the principles may be viewed by the FTC as a misleading trade practice. To date, 1,300 U.S. companies have certified to Safe Harbor.

ERG’s WebSphere vulnerability assessment methodology can help your organization satisfy EU Directive 95/46/EC and Safe Harbor considerations, where applicable, while safeguarding reliability of operations. Our assessments identify flaws or weaknesses in data protection measures while avoiding the introduction of additional risk to essential systems such as resorting to traditional penetration testing tools that can impair the networks and computers that make up BPIC systems. Evans Resource Group (ERG) has developed this approach based on years of helping BPIC customers achieve secure network compliance. Our methodology does not require risky connection of test equipment to sensitive networks or the deployment of unsupported software.

To learn more about our EU Directive 95/46/EC solutions, contact us today at: info@evansrg.com