The headlines in recent years have been littered with news of corporate scandals and data mismanagement. Regulators have responded with varying degrees of fines and an increasingly complicated regulatory environment. Despite this uptick in regulation and enforcement, the behavior of the world’s most powerful companies has not appeared to change in any significant way. Wells Fargo provides a notable example. In late 2016, after the Consumer Financial Protection Bureau (“CFPB”) fined the company $185 million, headlines surfaced showing that the bank had engaged in the practice of creating fake customer accounts to inflate cross-selling of its products. The CFPB fine, coupled with additional penalties from various regulators resulting in a $575 million settlement, is unlikely to have a large impact on the firm, which earned over $22 billion in 2018. Although regulators are increasingly able to take steps to penalize companies engaging in reckless or fraudulent activity, the signs show that arguably the most prominent effect of such penalties is management turnover and alleged cultural changes. The concern is whether the cultural changes are sincere despite the profits reaped in the face of fines. The world’s most powerful corporations are not above the law, but, in an environment where the most important metric of success is the bottom line, such entities may be indifferent to it.
GDPR: One year in
In the realm of data security, though, the road ahead looks more promising. Since the European Union’s (the “EU”) General Data Protection Regulation (the “GDPR”) came into effect last May, major corporations have been forced to register for processing data in the EU. Ireland has emerged as the EU’s primary data overseer and an example of how government regulators can effectively leverage new laws to create corporate change. Policing under the GDPR falls to the country’s Data Protection Commission (“DPC”), which can originate investigations on its own or upon receiving complaints. Since the GDPR came into effect, there have been €56,000,000 ($62,527,964) in total fines, over 500,000 data protection officers appointed, over 200,000 cases received by data protection authorities, approximately 100,000 individual complaints filed, and over 64,000 data breach notifications received. The numbers are hard to ignore, and companies, including U.S. tech giants Facebook, Google, Microsoft, Apple, Twitter, LinkedIn and Dropbox, have responded by making policies clearer and ensuring that users are aware of privacy settings. Many companies have engaged in wholesale changes in culture and data protection, although some regulators note that other companies merely undergo a formal “box-ticking” exercise with little resulting change in culture. That said, given the numbers after only one year, the future of corporate compliance under the GDPR looks bright.
Last week, the EU’s highly controversial Copyright in the Digital Single Market Directive cleared the final hurdle. The European Council ratified the Directive, just weeks after the Directive successfully passed in the European Parliament. Now, with the approval of both the Council and the Parliament, the Directive is poised to go into effect in two years.
The Directive overhauls copyright law in the European Union and has faced massive protests and criticism from digital advocates all over Europe over the contents of Article 13 (renumbered as Article 17 after a recent update). Article 13 of the Directive shifts the responsibility for flagging copyright violations from owners of the copyrighted content to the online platforms themselves. Tech companies and activists alike have stressed that compliance will be nearly impossible even for the tech giants—to say nothing of the smaller outlets—and may change the face of the internet as we know it. Many worry that if platforms are forced to police content, they will opt to ban certain types of content altogether, delivering a huge blow to freedom of expression on the internet. To top it off, the Directive is notoriously unclear: while its language clearly suggests that gifs and memes may become a thing of the past, European lawmakers have insisted that was not the case. Of course, in the U.S., Section 230 of the Communications Decency Act continues to protect online platforms from liability for violations of law committed by its users, but in the EU, when it comes to copyright violations, those protections will cease to exist.
Notably, unlike Regulations (for instance, the GDPR), which become law once they are passed by the central EU institutions, Directives have to be written into each member country’s national law. The two-year grace period is rarely strictly enforced so the change may take even longer, buying the Directive’s opponents some time to bring a potential legal challenge.
The FCO’s action against Facebook was an administrative proceeding, intended to compel the company to change its practices, rather than merely extracting a financial penalty. However, Facebook has already announced plans to appeal the decision, in a process that begins next month.
Last week, Twitter, like other tech giants, came under scrutiny for potential non-compliance with the EU General Data Protection Regulation (GDPR). Under the GDPR, data subjects have the right to receive information about the types of data companies collect about them, how they do so and what they do with the data. Michael Veale, a data privacy and technology researcher at University College London sought to exercise this right when he asked Twitter to provide him with more information about the data it collects when users click on the “t.co” link in a tweet. Initially designed as a way to save characters in a tweet (which is limited to 280 characters), this type of link-shortening can also be used to fight malware and gather basic analytic information. In light of this, Veale wanted to know if Twitter tracks his web activity after he clicks the auto-shortened link. He suspected that Twitter was collecting IP addresses, time-stamps and devices being used. But Twitter denied Veale’s request, claiming that providing such information would require “disproportionate effort.” Veale found this response disingenuous and complained to the Irish Data Protection Commission. In turn, the Commission opened a statutory investigation to determine whether Twitter has violated any provisions of the GDPR (and/or the Irish Data Protection Act of 2018), including through the use of its URL-shortening service. Because Veale’s complaint involves data processing across the EU border, it will likely be handled by the new European Data Protection Board, which replaced the Article 29 Working Party in May 2018 (concurrent with the advent of the GDPR), as the joint coordination body of the EU data protection authorities.
The European Union’s General Data Protection Regulation (GDPR) just became effective a few days ago, on May 25, 2018. Yet, already Facebook is facing lawsuits regarding its data sharing practices. Max Schrems, an Austrian privacy activist, filed the lawsuits against Facebook, seeking large fines. The lawsuits are by product and include separate suits against Facebook and Facebook-owned WhatsApp and Instagram.
The GDPR requires companies to justify why they are collecting data on European users and states what they intend to do with the data. Companies must receive clear consent prior to collecting any personal information and keep strict records as to any data processing.
Facebook has been preparing for the GDPR over the past year and enforcing new policies to protect users’ data, but Schrems argues that these steps are not sufficient. Specifically, Schrems claims that the companies’ “all or nothing” approach to privacy—requiring users to click a box to access the service—is a violation of the GDPR. Rather, Schrems contends that the companies should let users decide exactly how their data is used at more of a case-by-case level.
Facebook argues that its privacy measures are GDPR compliant.
Over the past 18 months, companies of all sizes have wondered how the GDPR was going to be enforced. As we expected, it looks like it will take some GDPR-related lawsuits to interpret the regulation and set precedent as to its enforcement. While May 25, 2018, was the effective date, it was not the last we’ll hear of the GDPR.
After the Safe Harbor agreement, which regulated EU-U.S. data transfers, was invalidated as inadequate by the European Court of Justice in 2015, many U.S. businesses were left in a panic on how to do business as usual without violating EU data protection law. In light of that, the EU-U.S. Privacy Shield agreement, implemented in July 2016, arrived to a collective sigh of relief. Nevertheless, the Privacy Shield can only exist so long as it meets the approval of the joint review commission every year, which includes members of the Article 29 Data Protection Working Party (WP29)—an advisory body made up of Data Protection Authorities from each EU member state, the European Data Protection Supervisor and the European Commission. This is why it’s worth paying attention to WP29’s opinion of the first annual review, issued earlier this month.
WP29’s opinion, which is separate from the European Commission’s review, warns about the possibility of taking the Privacy Shield before the European Court of Justice next year, if several issues are not addressed. Chief among these is how the United States government accesses and collects personal data for national security purposes. As many may recall, this is the same concern that arose in Shrems v. Data Protection Commissioner—the European Court of Justice decision that invalidated Safe Harbor—particularly in the wake of the Edward Snowden revelations. Specifically, WP29 wants assurances that data collection under Executive Order 12333, which authorizes intelligence agencies’ extensive data collection powers, is necessary and proportional. In the same vein, WP29 wants the next version of section 702 of the Foreign Intelligence Surveillance Act to provide for “precise targeting” rather than general surveillance programs.
The most pressing of WP29’s recommendations, however, are filling the vacancies on the Privacy and Civil Liberties Oversight Board and appointing an independent Ombudsman to bring matters to court on behalf of EU citizens whose data privacy rights are affected by U.S. intelligence agencies. WP29 warned that the U.S. must resolve these two issues by May 25, 2018 —the date on which the General Data Protection Regulation goes into effect.
As part of a series of blog posts through the UK’s Information Commissioner’s Office (ICO) aimed at dispelling myths surrounding the General Data Protection Regulation (GDPR), Steve Wood – the Deputy Commission for Policy at ICO – recently wrote about the perceived burden that the GDPR will place on regulated organizations. The GDPR is set to replace the current Data Protection Act (DPA) in May 2018 as the European Union’s chief privacy regulation. Mr. Wood first touched on concerns that the GDPR would upend current efforts by businesses to protect personal data by noting that the GDPR is an “evolution in data protection, not a revolution.” While Mr. Wood acknowledged that any new regulation will impact an organization’s resources, the GDPR merely seeks to build off of the same principles and concepts of the DPA. Accordingly, organizations that are already in compliance with the DPA will have far fewer issues to address with respect to the GDPR. As for new requirements established by the GDPR – including enhancements to privacy notices and individual rights to personal data, reduced timeframes for responding to subject access requests, special protections for children, and new reporting requirements for data breaches – Mr. Wood noted the many resources available through ICO that organizations can use to start making preparations now so that they are in full compliance when the GDPR goes into effect.
Mr. Wood also addressed the concern that small and medium-sized enterprises (SMEs), those that employ fewer than 250 persons and have reduced balance sheets, will be disproportionately burdened by the GDPR. In an attempt to assuage such concerns, Mr. Wood explained that compliance with the GDPR is scaled to the risk posed by particular businesses and types of data – circumstances that are unlikely to appear among SMEs. Further, many of the requirements under the GDPR are likely to overlap with practical and straight-forward record-keeping practices that are already in place.
Finally, Mr. Wood highlighted the potential for the GDPR to add value to a business. As current levels of public trust concerning privacy and data protection are low, compliance with the GDPR represents an opportunity for organizations to build that trust and derive more value from handling data in a proper manner. On the other hand, the failure to protect personal data can damage a business’s reputation, fracture customer relationships, and ultimately impact the bottom line.
On March 23, 2017, with the first joint annual review of the Privacy Shield on the horizon, the European Parliament Civil Liberties, Justice and Home Affairs Committee narrowly adopted a resolution identifying “key deficiencies” in the E.U.-U.S. Privacy Shield. The resolution, which was passed by a vote of 29 in favor, 25 against and one abstention, details a number of deficiencies with the personal data transfer framework. In particular, while acknowledging improvement over the E.U.-U.S. Safe Harbor that was invalidated by the European Court of Justice in 2015, the resolution raises concerns regarding the lack of specific rules on automated decision-making and the general right to object to data transfers.
Additionally, in a show of skepticism of U.S. authorities, the resolution specifically notes the insufficient protections surrounding mass and indiscriminate collection of personal data despite assurances attached to the Privacy Shield by the U.S. Director of National Intelligence. The resolution also urged an immediate assessment of whether rules approved by the U.S. in early 2017 allowing the National Security Agency to share private data with other agencies are consistent with the U.S.’s responsibilities under the Privacy Shield. Finally, the lack of a judicial remedy for individuals in the European Union whose data is transferred under the Privacy Shield and processed by both private organizations and U.S. law enforcement agencies is yet another concern of the committee.
The resolution is expected to be voted on by the European Parliament as a whole in April.
On February 28, 2017, the American Civil Liberties Union sent a letter to White House Counsel Don McGahn criticizing a policy change affecting privacy protections for immigrants implemented by one of two executive orders issued by President Donald Trump on January 25, 2017. The executive order at issue directs federal agencies to “exclude persons who are not United States citizens or lawful permanent residents” from protections previously afforded to them under the Privacy Act of 1974.
In noting that the policy shift has been little noticed, the ACLU claims in its letter that implementing such a directive “threatens the privacy rights of immigrants, foreign residents and U.S. citizens; raises multiple constitutional and legal concerns; and calls into question whether the U.S. is meeting its obligations under existing international agreements.” In a statement coinciding with the letter, the ACLU warned that this policy change places the personal information of refugees, college students, tourists, individuals with work visas and others at risk of public disclosure.
The ACLU’s letter also addresses a number of legal issues that it feels constrain agency implementation of the order and expresses skepticism that such issues are being properly considered based on agency implementation memos that have been circulated thus far. Among those issues are agreements between the European Union and U.S. that govern the commercial exchange of data and data sharing among law enforcement agencies. As a result, the ACLU also sent a joint letter with Human Rights Watch to EU officials warning of the potential disruption to standing agreements posed by President Trump’s order.
We previously reported that privacy advocate, Digital Rights Ireland, is seeking to challenge the validity of the E.U.–U.S. Privacy Shield. The group is arguing that the Privacy Shield, like its predecessor the Safe Harbor, fails to adequately safeguard European citizens’ privacy.
The Privacy Shield, which seeks to remedy the security failures of the previous Safe Harbor Act, was finalized this past July and over 1500 organizations have already certified their compliance. Now, the United States government has applied to be an intervening party in the challenge, supporting the European Commission’s position that the Privacy Shield is sufficient. France, the UK and the Netherlands have also applied to be intervening parties.
However, these applications will be at a standstill for some time—the Court of Justices of the European Union cannot rule on the applications until a separate application concerning whether Digital Rights Ireland has standing is heard. In the meantime, the Privacy Shield remains in control of cross-Atlantic data transfer and organizations processing European data must be in compliance.