On October 7, 2022, President Biden signed an Executive Order to implement a data privacy framework for data transfers between the European Union and the United States.

The EU’s General Data Protection Regulation (GDPR) places restrictions on transfers of personal data to certain countries outside of the EU and the European Economic Area (EEA). The United States is considered to be a high-risk country due to its lack of comprehensive privacy legislation along with laws such as the Foreign Intelligence Surveillance Act (FISA), which governs electronic surveillance by law enforcement of foreign powers and agents of foreign powers, particularly § 702 which permits law enforcement to conduct targeted surveillance of foreign persons located outside of the United States with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information when this information transverses U.S. territory.

For GDPR compliance, an adequacy decision from the European Commission is required for the lawful transfer of data between the EU and countries such as the United States. Said adequacy decisions are made by the European Commission and certify that data transfers between the EU and the country in question are sufficient to satisfy GDPR restrictions.

The now invalidated EU-U.S. Privacy Shield used to permit EU-based companies to lawfully transfer personal data to U.S.-based companies that were in compliance with the Privacy Shield Framework. However, in the Court of Justice of the European Union’s 2020 Schrems II decision, compliance with the Privacy Shield as an adequacy decision was invalidated, leaving EU-based companies with few means of lawfully transferring personal data between the EU and the United States.

As was noted in a publication announcing the signing of the new Executive Order, transatlantic data flows are critical to the $7.1 trillion in economic activity between the EU and the United States, and the Executive Order will reestablish a legal basis for lawful transatlantic data transfers by addressing concerns that the Court of Justice of the European Union raised in striking down the EU-Privacy Shield framework as a valid data transfer mechanism under EU law in Schrems II.

The Executive Order imposes restrictions on access by the U.S. government to data transferred from some jurisdictions, including the EU, and provides for legal redress for individuals with claims that their privacy rights have been infringed. The Executive Order requires that relevant surveillance activities be conducted only in pursuit of defined national security objectives and must take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. Moreover, said surveillance must be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportional to that priority. The Executive Order further requires the U.S. Intelligence Community to update its policies and procedures to reflect the privacy and civil liberties safeguards contained in the Executive Order.

Notably, the Executive Order creates a mechanism for individuals from qualifying countries to obtain an independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law.

While the European Commission must still determine whether the Executive Order is sufficient for an adequacy decision, the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is likely to provide some sense of direction for organization leaders striving to remain ahead of the rapidly changing privacy and security landscape. For said forward-thinking organization leaders, American Cyber Security Management is available to assist in proactively assessing and remediating their data privacy and cybersecurity management needs. To learn more about how ACSM can help your organization, please use our contact page at https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation. https://www.americancsm.com

Last year, Apple released a software update featuring advances to sustain its privacy leadership.  These new features help users control and monitor apps’ use of their data. Apple’s approach to protecting customers’ privacy by positioning customers into a more active role in protecting their own privacy appears to be popular with Apple’s customers. Still, it seems less popular with social media platforms such as Facebook, as it has caused shifts in online advertising that have had a considerable impact on the tech giant’s ad business.

Among the changes to its privacy policy, Apple requires apps to ask users if they want to be tracked. As expected, these new privacy standards diminish apps’ ability to gather customer data needed for generating revenue from targeted ads.

Consumers today utilize more apps and other technology than ever before, and they are acutely aware of the value of their data and personal information. Consequently, consumers are attracted to products and services offered by companies that make safeguarding consumer data a priority. At the same time, the increased prevalence of technology usage and data transfers have resulted in more opportunities for malfeasance.

Understandably, data privacy and cyber security are top of mind for business leaders who collect or otherwise interact with consumer data. As data continues to be collected in growing forms and amounts for an increasing variety of purposes, forward-thinking business leaders will ensure their organizations are responsibly managing their collection and use of customer, employee, and user data.

American Cyber Security Management has direct experience assessing and remediating data privacy management programs for optimal efficacy. Our approach allows us to address vulnerabilities and give organization leaders the insight and specific step-by-step recommendations necessary to reduce risks and address any identified vulnerabilities. To learn more about how ACSM can help your organization please use our contact page https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com

Earlier this summer, a draft was released of the  American Data Privacy and Protection Act (ADPPA) that is making its way through the legislative process. Although any formally proposed legislation will likely vary in some respects, this draft of the ADPPA provides some insight into what can be expected from any upcoming final iterations of the legislation. 

The stated purpose of the ADPPA is “to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The ADPPA identifies four key components to achieve its purpose: (1) a duty of loyalty; (2) consumer data rights; (3) corporate accountability; (4) enforcement and applicability. 

ADPPA outlines a duty of loyalty which is based on data minimization, certain loyalty duties, privacy by design, and loyalty to individuals with respect to pricing. In general, a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to provide or maintain a specific product or service. With some exceptions, ADPPA restricts the collection, processing, and transferring of certain information, including Social Security Numbers, geolocation data, biometric information, and other sensitive personal information. 

To be ADPPA compliant, a covered entity must establish and implement policies, practices, and procedures regarding the collection, processing, and transfer of covered data, which adequately safeguard data, mitigate privacy risks, and promote compliance with all applicable privacy laws. 

Under ADPPA, a covered entity may not deny, charge different prices or rates, or condition (or effectively condition), the provision of a service or product to an individual on the individual’s agreement to waive any privacy rights guaranteed by the ADPPA. 

Included in consumer data rights are: consumer awareness, transparency, individual data ownership and control, right to consent and object, and data protections for children and minors. To support these consumer data rights, ADPPA includes provisions governing third-party collecting entities, civil rights and algorithms, data security and protection of covered data, and opt-out mechanisms. 

In addition to recognizing consumer rights and organizations’ duties, ADPPA also establishes certain corporate accountability measures for executives such as the required designation of at least one corporate privacy officer. 

Although it is unclear when the United States will join the growing list of nations with comprehensive privacy legislation on the books, American Cyber Security Management is positioned to assist companies and organizations in proactively assessing and remediating their data privacy and cybersecurity management needs. 

To learn more about how ACSM can help your organization please use our contact page https://www.americancsm.com/contact-us/ and schedule a free discovery call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com

AmericanCSM.com (ACSM) is proud to announce that Carlin Dornbusch will present at the Cloud Security Alliance (CSA) Denver Fall Summit ‘22. The CSA Fall Summit is an annual event held this year at The Tivoli Center (900 Auraria Pkwy 900 Auraria Parkway Denver, CO 80204) on October 18, 2022. This all-day event brings together Colorado’s best cloud security experts to discuss and share the latest in Security, Compliance, and Privacy. Carlin will be presenting the latest in Dark Patterns. Dark Patterns are Privacy anti-patterns that businesses have implemented in order to extract more information from consumers than expected. This session will focus on identifying these patterns through numerous examples, and a discussion of the current state of issue and privacy compliance.

You can register for the CSA Fall Summit here: https://www.eventbrite.com/e/csa-colorado-fall-summit-2022-registration-354978429037

To learn more about how ACSM can help support your data privacy needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.
American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services focusing on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com

AmericanCSM.com (ACSM) and Schellman are coming together to discuss the value of ISO-27001 Certification.  ACSM’s CEO, Carlin Dornbusch (https://www.linkedin.com/in/carlindornbusch/ ), and ACSM’s VP, Paul Herbka (https://www.linkedin.com/in/pherbka/ ), talk with Schellman’s ISO Practice Director, Danny Manimbo (https://www.linkedin.com/in/danny-manimbo-2b199718/), on September 15th, 1:00 pm ET, about the value of businesses becoming ISO-27001 certified. If you are interested in learning more about ISO-27001 certification for your business, or what it takes to get there, this informative presentation will answer many of your questions.

You can register for this webinar here: https://www.schellman.com/the-true-value-of-iso-27001-and-how-to-get-certified 

ACSM is now offering ISO-27001 Lead Auditor and Lead Implementer certification courses for individuals leading their businesses to this important certification. You can learn more about ACSM’s new ISO-27001 Certification Training here: https://www.americancsm.com/iso27001training/

To learn more about how ACSM can help support your data privacy needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

American Cyber Security Management is a leader in data privacy, cybersecurity, and Compliance. Our mission is to help enterprises protect their data from internal and external threats. We offer on-demand assessment, implementation, and sustainability services that focus on Privacy and Cybersecurity readiness and compliance, risk reduction, and mitigation.    https://www.americancsm.com