Ashley Eisenberg, data privacy officer at Forter, told PYMNTS in a recent interview that as companies do business across borders, data access — and protection — are top of mind.
“Organizations have started to realize that their data is a valuable asset,” she said.
For enterprises based in the U.S. and Europe, collaboration on personal data flows is rapidly becoming standardized.
In the U.S., there has yet to be a federally determined mandate on data sharing and privacy (though individual states have taken on such efforts, such as in California), determining how businesses collect and disseminate consumer-level information. But as reported over the summer, the European Commission announced that it has finalized the EU-U.S. Data Privacy Framework, placing limits on access to EU data. The Data Privacy Framework (DPF) will govern the data flows across the Atlantic that in turn facilitate $1 trillion in cross-border trade and investment annually, as estimated this year by the U.S. Commerce Department.
Eisenberg pointed out that the framework is on its third iteration, and was struck down amid legal challenges in the middle of the last decade and most recently in 2020; the 2023 version has been ratified, fully, as a legal way to transfer data.
There may be legal challenges that lie ahead, Eisenberg said, and some tweaks. But the privacy framework at its core exists as a set of rules that govern how personal data can be transferred between the European Union and the United States.
“It essentially provides a mechanism for lawfully transferring that data to the U.S. without having to put in place additional data protection safeguards,” she said, which can include impact assessments or new encryption layers.
She said the EU’s own data privacy law — governed by the General Data Protection Regulation (GDPR) — restricts transfers of personal data from Europe to countries outside of Europe, unless and until a country has been recognized as offering a level of data protection that is essentially equivalent to that level of protection offered in Europe.
For organizations that have self-certified under the framework, personal data can now flow freely from companies in the European Union to those organizations in the U.S. that have certified.
That data that falls under the confines of the data protection framework, Eisenberg said, can include just about any piece of information that can be linked back to an individual, from the obvious details such as names and phone numbers all the way through IP addresses. Organizations self-certify within the framework, logging onto the U.S. Department of Commerce’s website to attest that they are committed to at least baseline levels of privacy consistent with the framework, and listing the types of data they expect to receive from Europe under the framework.
Companies that receive certification, she said, “don’t have to put in place additional measures to protect the data, and they don’t have to risk regulatory scrutiny as a result of that transfer,” Eisenberg said.
In today’s world where privacy is increasingly top of mind for individuals, Eisenberg said, “it’s really important to have that framework in place to ensure that European companies can operate globally and engage with U.S. companies,” adding that certification “means that they can more readily do business with U.S.-based organizations and cut down on the time spent looking into the privacy practices of those organizations.”
On the flip side of the equation, for U.S.-based companies, the framework helps them demonstrate a commitment to privacy and to protecting users’ data, in turn “fostering that trust and consumer confidence” in those companies, she said.
For providers such as Forter, enlisted in making sure that client firms are in compliance with data sharing tenets (and that proverbial operational boxes are ticked), “we’re really seeing the pressure being taken off of those organizations — and they’re happy to rely on the framework.”