Is massive and indiscriminate surveillance proportionate and strictly necessary in a democratic society?
Posted on 13/04/2021
<p class=Read More
Privacy Shield is invalid
Posted on 16/07/2020
It lasted all of 4 years and 4 days before the Court Justice for the European Union (CJEU) decided on 16 July 2020 that the Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid. Er, pardon?
OK, in summary, this means the CJEU has judged that Privacy Shield was invalid from 12 July 2016. It has never been valid. Just like its predecessor, Safe Harbor. In other words, no-one can rely on Privacy Shield to transfer personal data to the USA.
If you don’t transfer personal data to the US, there’s no problem – it doesn’t affect you. If you keep life simple by keeping personal data in the UK, you have nothing to worry about. And let’s face it, the majority of businesses appear to do just that anyway. BTW, if it’s true now, it’ll be true after Brexit too.
However, if you do transfer personal data to the US, take note. There are more than 5,000 organisations registered for Privacy Shield that do. For example, do you rely on SaaS or Cloud providers that manage the hiring of new recruits? If so, it is likely these guys are based in the US, and have relied on Privacy Shield. Similarly, does your marketing team rely on cookies (and other trackers / technologies) provided by US-based companies for your email campaigns or your App? What about your financial software? The list goes on, and on (and on…).
Here's what to do ASAP:
- step 1: look at all your processing operations to check if parties you rely on are based in the US
- step 2: check your understanding of personal data… in summary, it includes any information about an individual, such as an online identifier, MAC ID, the type of browser they use, not just a name (indeed, a name is not even required)
- step 3: in the processing operations identified in step 1, is any personal data leaving the EU (include the UK for just now)? NB this applies to any party involved in the processing, not just you
- step 4: has that party (including you) relied on Privacy Shield? If not, there’s nothing further to be done. If so,
- step 5: get your data protection expert to help identify options to fix the problem
- step 6: update your documentation (e.g. privacy statements, records of processing activities, etc)
Your data protection expert needs to be very careful which options you look at in step 5 above. For example, don’t make the mistake that the transfer is necessary for the conclusion or performance of a contract. This is because ‘necessary’ is the operative word here. In other words, it is not necessary to use a US company, as you could use a UK one instead.
Also, when considering standard data protection clauses – also known as standard contractual clauses (SCC) or model clauses – do bear in mind the Hamburg DPA’s view published on Friday: the ECJ's decision to maintain the standard contractual clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect those affected from government access. At least with regard to the conclusion of the SCC with the US company at issue, the ECJ should have reached the same result.
Why is this significant?
Essentially, Hamburg are saying, “don’t use SCCs.” That’s a problem because in addition to Privacy Shield, the most common mechanism used for transference of personal data to the US is SCCs – indeed, even Facebook use them. There are other available options, but that’s why your data protection expert will need to take steps 1-4 above into account to get it right for you… there’s no cookie-cutter approach to this, as compliance is at a process level.
Is there a pragmatic answer?
Great question. Let’s look at the facts. It took Max Schrems some 5 years to go through the legal process which eventually saw the CJEU strike down Safe Harbour. Privacy Shield was cobbled together in 6 months to replace it. To my knowledge, no organisations suffered any severe liability damages for previously relying on Safe Harbor, never mind continuing to transfer personal data during that 6-month period (when no mechanism existed). Then Schrems successfully struck again, this time on Privacy Shield. So, by the end of 2020, there is likely to be a replacement for Privacy Shield. You can make your own mind up regarding the probability that anyone will take action against you… either for not having any mechanism (if you relied upon Privacy Shield), or for using SCCs. In the same time frame, i.e. by the end of 2020, the UK will need to come up with an equivalent mechanism for its own data transfers because of Brexit – for both to the US, as well as from the EU to the UK. At the same time, we know from their Press Release on 24 June that in addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool.
Thursday’s timing for the CJEU’s judgment has actually been perfect. By the end of the year, it appears that we will have sorted out the next generation of both SCCs as well as Privacy Shield for not only the EU, but also for the UK.
Happy days.Read More
FTC goes large on Facebook with $5bn fine
Posted on 12/07/2019
Ludicrous as it sounds, but even though Facebook had a $5bn fine confirmed by the FTC, their share value went up! Of course, they can still expect other actions against them by regulators in Europe and elsewhere, as well as Court cases and further Brand damage. With so many other new platforms appearing, it appears that Facebook cannot continue to rely on its powerful global grip it has established.
The company has recently made some efforts to market their caring position vis-a-vis privacy - the issue is that “data protection by design” requires ‘whole privacy’ thinking, so that the likes of Cambridge Analytica relationships should not be allowed to disrespect our privacy, by either Facebook or Cambridge Analytica... but Facebook’s statements appear to be more vacuous in terms of substance.
The wake up call from the world’s regulators this week has not gone unnoticed - does this mean we can rest a little more restfully?
Sadly not. More organisations are turning to machine learning and artificial intelligence. For sound legitimate and necessary reasons in a global competitive economy that is driving down costs. To stay ahead these technologies are required.
What therefore are organisations to do?
Look, data protection legislation is not designed to stop such advances. Au contraire, the object is to facilitate free flows of data, in particular personal data. With that in mind, establishments simply need to get data protection by design right, unlike Facebook and Cambridge Analytica.
Do you get it right? How would you know? How would individuals whose personal data you process know?
Easy. Check with priviness for free.Read More