Safe Harbour Falls into the Atlantic

The Safe Harbour scheme that provides the legal underpinning for significant volumes of personal data use by the world’s largest technology companies has just been declared invalid by Europe’s highest court.  So does that mean the internet is going to grind to a halt as billions of data transactions get held up at the border? No, but there are going to be some changes in the background to make sure the information keeps flowing.

First, a bit of back story

The EU-US Safe Harbour (or Harbor on the other side of the pond) scheme was put in place about 15 years ago to make up for the fact that US privacy laws were judged to not provide an ‘adequate’ level of protection for EU residents when their personal data was transferred to US businesses for any reason.

Basically it requires the US firms to self-certify that they will be held to a set of privacy principles designed to provide the protections that are lacking in US law.  Some 4,500 firms have until now been relying on the scheme, including many of the internet’s technology giants.

The decision by the EU’s highest legal authority, the European Court of Justice (ECJ), to kill off Safe Harbour has come about through a case brought against Facebook by an Austrian student, Max Schrems, now being hailed as a hero by many privacy advocacy groups.

In the light of Edward Snowden’s 2013 revelations about the extent of mass surveillance by the US security agencies, which allegedly involved unrestricted access to personal data held by Facebook and others, Schrems argued that the protections of Safe Harbour were inadequate.

The Court essentially agreed, noting that the NSA having both unlimited access to personal data, and there being no provision for an EU resident to take legal action against that access, represent a compromise of fundamental rights to privacy enshrined in the EU.

With that decision the walls of the Safe Harbour crumbled into the Atlantic Ocean.

So what happens now?

Safe Harbour has been heavily relied upon, largely because it was the easiest route for US companies to be legally import personal information from the EU, but it was never the only route.  What happens now is that those companies will need to put other mechanisms in place.  The next best method is what is known as ‘Model Contract Clauses’ – standardised terms and conditions.  Although not complex to adopt for most companies – it does involve a lot of paperwork and admin – so it can take time and be costly.

For larger companies, and especially those for whom data is their stock in trade, the disruption is likely to be minimal.  It is likely to be smaller US businesses for whom this decision will be a bigger additional burden.  Fortunately the EU Data Protection Authorities (DPAs) who will be charged with policing the transition, look likely to be reasonable in giving time for changes to be made.

However, this is unlikely to be the end of the story.  As other notable commentators have pointed out, neither model contract clauses, nor their more difficult cousin, Binding Corporate Rules, contain any protections against US intelligence intrusion greater than Safe Harbour.  So, in the short term, these are equally at risk of being legally challenged.

There is however some light at the end of the tunnel. Negotiations for a replacement to Safe Harbour have been under way now for 2 years.  Although seemingly bogged down in the end game for some months, this decision is likely to put increased pressure on to get them finalised.  This new agreement does contain critical rights of legal redress for EU residents that were missing in the original scheme.

However, the light is not all that bright.  Another part of the decision was to clarify that national DPAs have complete freedom to decide if their laws are being complied with or not.  Which means that even with a new scheme in place and agreed to by the majority, a single DPA could still challenge standardised agreements if they felt national law was being infringed.

Of course all if this is also set to change again when the Data Protection Regulation gets finalised – and who knows what impact this decision will have on those negotiations. As for Max Schrems  and Facebook – their battle is also not yet over.  The decision on whether or not Facebook has actually breached EU law now goes back to Ireland’s Data Protection Commissioner due to the fact that Facebook’s EU operations are based there.

Suffice to say – we are a long way from hearing the end of this story.

Lessons from London’s Leading Privacy Conference

The annual Data Protection Intensive, organised by the International Association of Privacy Professionals (IAPP), is a 2 day conference bringing together leading privacy experts from many different countries and industries. This year’s conference, which took place in mid-April, was my first and I found it very enjoyable and informative.

Privacy and Data Protection have been growing in importance to business in the last few years for a number of reasons.  Consumer data is now a key asset for many types of organisations. Its increasing availability, volume and granularity, coupled with the low cost of storage and analysis, has made it a valuable commodity and increasingly a source of competitive differentiation.  At the same time Edward Snowden, high profile hacking and cyber security breaches, debates about privacy vs. freedom of speech have all played their part in making data protection a main stream media story, raising both awareness and fear over the potential dangers of its misuse.

The proposals for the new EU General Data Protection Regulation, and what it might mean for compliance programmes were unsurprisingly very much top of the agenda at the conference this year, as we inch ever closer to an agreed text.  Much time has and continues to be given over to analysing the proposals in minute detail. However, to my mind the real take-aways from the conference were all about the big picture.

  • The hockey-stick curve of growth in IAPP membership is a testament to the fact that, contrary to what some would like us to believe, privacy is not dead but thriving, and some may even say it is on the edge of entering a golden era.
  • Even in the biggest and most privacy-mature businesses in attendance there was still a sense of plenty of room to improve and evolve.
  • The dominance of a legalistic approach to privacy management is on the wane, with a move towards more of a business-needs focus.
  • Privacy management activity is still quite low on the corporate agenda, which means budgets are very tight.
  • There is a need for tools and technologies to make privacy management more effective and efficient.
  • Many organisations think of their key privacy issues and solutions as being unique or special to them in some way.

This last point is critical in my view and represents a potential barrier to the one above it – development of new tools and technologies.  Whilst it is often true at the detail level, it is unlikely to be in the broader scope of organisation activity.

Take for example the use of customer data for marketing.  A large proportion of organisations will essentially hold the same data about customers (contact details, purchase histories etc.), and use it in very similar ways (segmenting, targeting, upselling), even if the details of what they have and the way they use it is different.

A lot of companies will also have very similar processes for handling employee data, and a similar set of partner relationships for payroll, recruitment etc. When you look at specific verticals and certain types of data use within them – like health providers and financial services, it is likely that the similarities become even more pronounced.

I believe that one of the biggest challenges for the privacy profession may be to get past the ‘Not Invented Here’ syndrome when it comes to privacy management.  This means learning to focus on those similarities rather than differences, which is key to opening up new opportunities for shared learning, better benchmarking, and a greater understanding of difficult issues like consumer privacy risks.

It is also when you have recognised similarities that you can start to leverage technology more to handle the standard, routine aspects of any task – which of course frees up human resources to deal with the more difficult, individual issues.

PIAs (Privacy Impact Assessments) are a good example of where technology can standardise and streamline the process of gathering information and enabling privacy teams to make better informed decisions.  By reducing the time and cost involved in managing PIAs, it becomes easier to carry them out more frequently and in smaller projects. This in turn could be one of the most effective ways of both increasing awareness of privacy issues within the organisation as well as encouraging the adoption of more privacy centric systems and processes.

ECJ Rules that Search Engines are Data Controllers

The European Court of Justice, the highest court in the EU, has made a decision against Google this week that may well prove to be a turning point for data protection rights in Europe, and provide a mechanism for individuals to exercise the Right to be Forgotten which is provided for in the draft Data Protection Regulation.

It has caused quite a stir, with many arguing that it marks a blow for freedom of expression.  However as much as anything it has also highlighted the cultural differences between the USA and Europe.  In Europe the right of free expression is more balanced against the right to privacy.

However, the overlooked factor in most of the stories on this issue, is that the ruling presents a fundamentally different view of the role of search engines as cataloguers of the web, than most people have, and as they themselves would like to be seen.

Google argued that it is not in control of the content of pages it indexes.  As a Data Processor it could not be held responsible for the personal data on the pages it indexes, and therefore would have no liability under EU data protection law.

The court by contrast ruled that in creating its index and generating a link as a result of the search, Google is re-using the data for a different purpose. It also spelled out that the purpose was in no small part to create a market for its advertising which also appears in the search results.

The change in purpose, and also because Google is in control of  how the index is formed, means that it has to be seen as a Data Controller when it displays search results.  Which in turn then automatically means that it is responsible for the protection of the personal data, and upholding the rights of the individual.

This is really the game changer here, and what may change the very nature of search in the future.  Or will it?

There has been an assumption that the court ruling means that Google must remove the page in question from its index. This is what has got people agitated and talking about censorship.  However, I don’t think the ruling suggests this.

Another point that is missed in a lot of commentary, is that this all stems from a search based on the person’s name.  It is the appearance of the page in the search result against the name that is problematic according to the court.

Google therefore may not need to remove the page itself from its index, only the link between the name and the page.  This would enable the page itself to continue to appear in other search results that did not make use of the persons name.

It would limit the ability to search for information about people directly, but it wouldn’t restrict the ability to find the same content on a different basis.

Of course, we are yet to see if such an interpretation is acceptable, but it would be a lot less radical than a requirement to remove the link to the content entirely.