Has Privacy Shield filled Safe Harbor’s Data Privacy gap?
Imagine, if you can, a society in which all information (personal, private, business or otherwise) is hand-written, manually typed or printed and stored in darkened rooms filled to the brim with cumbersome filing cabinets, or in libraries where row upon row of shelves are laden with a myriad of books with titles that are only meaningful to a trusted few. In this society, unless there is an avid desire to replicate that information (data) for a particular pre-ordained reason, there is only one copy of that information and it is stored in a singular known location. If the nature of that data is particularly sensitive or important, then the data is stored expediently and securely in a safe or vault. In a majority of cases, because the data hasn’t been tampered with, or manipulated in any way, that data is accurate and trustworthy and, more importantly, it is only made available to third parties (individuals, businesses or organisations) once explicit agreement, written or verbal, has been obtained. There is an important concept that underpins this society and the storage of its data and it is this: whoever created that data, owns that data and, therefore, it is up to them to decide explicitly how and when that data can or can’t be used.
Although for many this illustrated society appears to be unfathomable and far removed from today’s Digital Age, it existed in predominance no more than 30 years ago and, to a lesser degree, it still pervades our society today – but for how much longer? In January 2010, while speaking at the Crunchie Awards in San Fransisco, Mark Zuckerberg, the founder of Facebook, stated that privacy could no longer be seen as being a “social norm”. However, given the number of people who still wish to zealously protect their privacy, even though those very same people often unwittingly divulge far more detail about their private lives than they realise, is this apparent progression towards a lack of privacy something that we have requested, or is it something that is being thrust upon us in the name of convenience and commerce? Despite this being an important question that everyone should be asking themselves, perhaps by association, we should also be asking whether or not adequate, carefully considered and enforceable provisions are in place that will protect the privacy of those who wish to remain in control of their own data and who wish to ensure that unwarranted and additional data is not being stored against their name?
These questions, along with Mark Zuckerberg’s comment, may have been considered by Max Schrems while writing his term paper on Facebook’s apparent lack of awareness of European privacy laws during his law studies at Santa Clara University. This lax attitude towards data privacy, and their negligent application of the European Commission’s Safe Habor directive, which governed the transfer of data between the European Union (EU) and the United States of America (US), originally came to light during a presentation by Facebook’s privacy lawyer, Ed Palmieri. Although Palmieri’s admittances were obviously fresh in Schrems’ mind, the revelations by Edward Snowden in the 2013 PRISM spy scandal, concerning Facebook’s forwarding of private data to the US’s National Security Agency, were the final straw which led to Schrems filing five complaints in 2013 against Apple, Facebook, Microsoft, Skype and Yahoo. These complaints focussed on the named companies’ infringements of the Irish Data Protection Act 1988 (amended 2003) and the underlying regulations contained in the 1995 EU Data Protection Directive 94/46/EC, and they also raised concerns over the validity of the Directive’s Safe Harbour provision.
In 2000, the European Commission ratified a set of data privacy principles which, when applied, would allow a US company to transfer and store customer data within US territory while still complying with the EU and Swiss data privacy laws. These principles and framework were known as Safe Harbour. In order to act in accordance with the EU Data Protection Directive and the Federal Data Protection Act and Federal Data Protection Ordnance in Switzerland, US companies had to register their intent to voluntarily follow the framework (which was self regulated through its private sector members), ensure that effective training and dispute mechanisms were in place and re-certify annually, either by written self certification or through third-party assessment, their adherence to the frameworks principles – which were:
1. Notice – Companies collecting and using an individual’s data must identify how the data is being collected and how it will be used. In addition, the company must provide enquiry and complaint contact information.
2. Choice – The company must provide a means by which an individual can opt out of the data collection and forward transfer to third parties process.
3. Onward Transfer – Organisations or companies who are in receipt of data transfers must also follow adequate data protection principles.
4. Security – Adequate provision must be made to prevent loss of collected data.
5. Data Integrity – All data collected must be reliable and relevant to the purpose for which it was collected.
6. Access – Data held about an individual must be fully accessible to them and, furthermore, provision must be made to allow that individual to correct or delete inaccurate data.
7. Enforcement – The rules must be effectively enforced.
Following close examination of Schrems’ Facebook complaint by the European Court of Justice, in October 2015 they declared that Safe Harbour did not ensure sufficient protection of private data and that, therefore, the provision itself was invalid. This decision lead to further talks between the European Commission and the US authorities aimed at introducing a more substantial transatlantic data flow framework. On 2nd February 2016, these talks agreed and established a new framework called the EU-US Privacy Shield. Although this new framework has now been ratified under European law (12th July 2016), it is still the subject of criticism and wide-spread debate despite further amendments being introduced to overcome the negativity associated with its development and introduction. The main criticisms have been voiced by the Article 29 Working Party (a group of data protection authority representatives from all EU member States) who stated that Privacy Shield offers major improvements over Safe Harbour but they held concerns about data deletion, mass data collection and retention and the new US Ombudsperson mechanism, the European Data Protection Supervisor who considered that the new framework is insufficiently robust to be able to withstand future legal scrutiny by the European courts and others, including Shrems, who felt that the new provisions still failed to adequately ensure the protection of private data – largely because Privacy Shield is, in essence, an updated and rebadged version of Safe Habour.
If a direct comparison is made between the two frameworks, it can be seen that the EU-US Privacy Shield retains, at its core, Safe Harbour’s original seven principle framework. Although adjustments have been made to all of the original principles, most of these are minor. Only three of the principles have received any major enhancement:
1. Notice – Now contains thirteen points which an EU-US Privacy Shield certified company must adhere to.
2. Choice – Largely unaltered.
3. Onward Transfer – All data transfer recipients must now be Privacy Shield certified.
4. Security – Largely unaltered.
5. Data Integrity – Even if self-certification is terminated, all certified companies must now adhere to the Privacy Shield Principles while it retains private data.
6. Access – Largely unaltered.
7. Enforcement – This area has been significantly strengthened to include EU and US based complaint resolution and annual review processes.
So, despite the ongoing controversy over its suitability, has the adoption of EU-US Privacy Shield resolved the ongoing data privacy issues? A simple, one word answer to this question is, no. Although Privacy Shield’s case for introduction has recently been enhanced by a federal court’s backing of Microsoft’s decision to withhold the release of Irish based emails to the US security services (Microsoft were conforming to the requirements of Safe Harbour at the time), there is still a high degree of confusion and uncertainty within the IT industry as to its benefits. There is also widespread concern that Privacy Shield adoption could be invalidated by a further challenge in the courts. Cloud Service Providers, in particular, have a difficult decision to make: should they sign up in support of the initiative or should they continue to use binding corporate rules and model clauses inserted into EU customer contracts that have previously allowed them to transfer data outside of the Safe Harbour framework?
Whether or not the Privacy Shield updated framework would have prevented the original complaints instigated by Schrems, had it been developed earlier, is open to conjecture. Likewise, until Privacy Shield has become fully embedded in our society, it is unclear whether the revised principles that are being delivered will actually alleviate the need for the initiation of further complaints – only time will tell. However, if a cynical stance is taken for a moment, two obvious questions come to mind concerning the current situation. Firstly, were Schrems complaints, particularly those towards Facebook, justified and, secondly, why in the Digital Age is there a need to develop convoluted laws to protect our digital data when long-standing laws and agreements satisfy similar, non-digital requirements?
The first question can be expanded upon by asking an additional, very pertinent question: if you are a Facebook user, have you read Facebook’s Data Policy lately (which still indicates their compliance to the Safe Harbour framework) – if ever? If your answer to that question is, no, then it is suggested that, perhaps, it is high time that you did – that is, if you are at all concerned about the privacy of your own data. Why? Simply because, by creating and using a Facebook account, you have accepted Facebook’s Data Policy and, by doing so, you have given Facebook permission to use certain elements of your private data, those which they call “Public Data”, in ways which may be contentious with the principles defined in Privacy Shield. Primarily, you have given Facebook permission to, for example, “….share information internally within our family of companies or with third parties for purposes described in this policy. Information collected within the European Economic Area (“EEA”) may, for example, be transferred to countries outside of the EEA for the purposes as described in this policy.”
The Data Policy then goes on to state that “(they) transfer information (but not personal information such as your name) to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys. These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them.” Therefore, given the nature of Schrems’ complaint, it can be determined that it was justified largely because no reference is made to the transfer of data to the US security services within the policy – at least, not without first asking for the data owner’s permission.
With regard to the requirement to develop explicit data protection laws, it is worth considering an everyday data transfer comparison that will be familiar to most of us – the sending of a letter via a traditional postal service provider. In such situations, you would expect the letter to arrive at its intended destination without having been subjected to any form of interference, alteration or copying. Furthermore, it is often recognised that a postal service will enhance their services by delivering post which, under normal circumstances, is undeliverable. So, if non-digital data can be handled this way, albeit in connection with postal service laws and procedures, why are these laws not being used for digital data? In many respects, the answer to that question is open to debate but one clear disadvantage of digital data over traditional forms of data should be considered: digital data can be intercepted, transferred and manipulated far easier than non-digital data. Consequentially, data protection laws are needed to overcome the variances and deficiencies in different countries’ laws, especially when many third parties consider it their right to divulge and utilise private data in the public domain.
Data Privacy is an emotive subject and it will be hotly debated by a select panel of experts at the forthcoming Nordic Digital Business Summit in Helsinki on 22nd September. If you are interested in attending this debate, which will consider the questions listed below, please ensure that you consult the event schedule for more information.
Panel discussion topics:
What does Privacy Shield mean to European Cloud & how should the Nordics take action?
Are we really protecting our data?
Is it possible for the individual to protect their data or does responsibility lie with the companies hosting the data?
After the Microsoft ruling in Ireland will there now be more desire for US companies to store their customers’ data in the EU?
Author: Richard Carter, writing for NDBS