It's been a wild ride for any organization transferring customer data across different borders in the last couple of months. Less than a week after taking office, President Trump signed an Executive Order, "Enhancing Public Safety in the Interior of the United States," that sent privacy advocates reeling. It vowed to remove data privacy protections under the U.S. government's Privacy Act from non-U.S. citizens or lawful residents.
Experts worry that the move will further damage a long-fought and hard-won agreement on cross-border data privacy that was already under threat: the European Privacy Shield.
The Privacy Shield is a relatively young agreement, having only been enacted in July 2016. The EU and the U.S. arrived at the agreement after a long and painful journey which saw the demise of its predecessor, the Safe Harbor agreement.
Established in 2000, Safe Harbor enabled companies gathering data in European countries to transfer it to the U.S. In 2014, Austrian lawyer and privacy activist Max Schrems threatened it by challenging the Irish government's permission to let Facebook move his data from Ireland to the U.S. When the Irish government used Safe Harbor as justification, Schrems took the case to the European Court of Justice, which ruled it invalid in 2015. Privacy protections in the U.S. were too weak to support it because the U.S. government could access data held there for national security purposes, it decided.
The two countries crafted the European Privacy Shield agreement instead, which had a new element: European citizens could complain in U.S. courts if they felt their data was being mismanaged. This new aspect of the agreement was supported legally by the Judicial Redress Act, signed by former President Obama in February 2016.
The Judicial Redress Act also supported the EU-U.S. Umbrella Agreement, signed in December 2016. This is a high-level framework for protecting data shared between law enforcement groups in the EU and U.S.
EU MEPs (elected representatives in the EU) first worried that the Executive Order would kill the Privacy Shield, but spokespeople later argued that under the language of the Order, data collected outside the U.S. and simply transferred there will be safe.
“I think that's totally lame,” responded Ann Cavoukian, former privacy commissioner for Ontario. “Personally, I don't think that's going to withstand the scrutiny of the data protection commissioners of the EU.”
The Privacy Shield was already under threat before the Order, as court cases in France and Ireland challenge it on the grounds that U.S. surveillance powers are simply too strong. “Add this to the equation and it's going to weaken confidence in the Privacy Shield,” she warns.
Michael Geist, Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa, says that the Executive Order indicates a massive cultural shift when it comes to cross-border privacy law. “The Privacy Shield has already been challenged and this sends a signal that the U.S. will put ‘America First',” he warns. “That seems to mean that the privacy of others comes second and could deal a serious blow to claims that the Privacy Shield addresses EU legal concerns.”
In the commercial world, hosting providers are worried. Cogeco Peer 1, for one, has datacenters in the U.S. and the U.K. Its director of legal affairs and privacy officer Ross Woodham (left) frets about legal uncertainties. “The reality is that Trump's administration risks throwing us back into the dark period where Safe Harbor was struck down and we were left in limbo,” he says. “The only thing we can do is try and prepare and advocate for improvement by our respective governments and industry lobbying to ensure that we move things in the right direction.”
For Woodham, the focus is on the EU's General Data Protection Regulation (GDPR). This regulation, which comes into effect in May 2018, sets a high standard for privacy and data governance. It will mandate privacy impact assessments for high-risk data processing activities, along with ‘privacy by design,' a system that Cavoukian developed, with the Netherlands Organization for Applied Scientific Research, that enforces a collection of data privacy principles.
GDPR also forces organizations to get consent for different processing activities and to object to data processing on broader grounds. They can have their data erased (the so-called ‘right to be forgotten' clause) – and have the right to demand a copy of it. If an algorithm is found to be automatically making decisions that affect them, they can also demand human intervention and accountability for its decision-making process.
Perhaps most importantly, the GDPR has teeth. National privacy officers in the EU can now demand up to four percent of annual turnover from organizations found wanting.
Peter Gooch (left), partner within Deloitte UK's Cyber Risk Services, argues that the GDPR is setting the bar internationally for privacy standards. “Other countries are looking to align their privacy laws with the EU,” he says. “The U.S. is probably the one outlier that everyone recognizes at the moment, and [it] has challenges around how well the data is used in the U.S.”
As a regulation, the GDPR will immediately become law across the EU – but what about those that leave it? Brexit – the decision to leave the EU taken in a referendum last June – is a work in progress for the U.K. government.
U.K. MPs just agreed to let it trigger the Lisbon Treaty's Article 50 by March, which will officially begin a two-year process that will keep the U.K. in the EU until March 2019 at the earliest. In the interim, U.K. organizations there must comply with the GDPR.
After Brexit, U.K. companies could struggle to navigate new privacy arrangements with partners in Europe. There is no agreement on adequacy between the EU and the U.K. The U.K. would need one to be considered a legally viable destination for EU data.
Woodham worries that the Investigatory Powers Act, also known as Snooper's Charter, may present a speed bump in creating such an agreement. Passed in December, this U.K. law grants the use of interception warrants for mass surveillance. An earlier attempt at similar surveillance legislation, the Data Retention and Investigatory Powers Bill (DRIPA), was found illegal by the European Court of Justice.
“There's a real risk that we end up in the same position in the U.K. as in the U.S.,” he says, arguing that the EU may not find the U.K.'s privacy regime adequate.
If these international bonds do break, companies must resort to other mechanisms. There are two: binding corporate rules (BCRs) and model contracts. The former enable multinational corporations to transfer personal data across borders to countries where the EU hasn't issued a finding of adequacy. That data must stay within the multinational's possession, making it inappropriate for transferring data to third parties, such as cloud hosting companies.
An alternative is the Standard Contract Clause. This EU-approved boilerplate can be inserted into a contract, enabling data to then be transferred to a third-party organization outside the EU. “The model clauses enable a quick method of transferring data to the U.S., and we would sign those as well, if necessary,” says Lillian Pang (right), senior legal director specializing in data protection and privacy at hosting firm Rackspace.
Sally Annereau (left), senior data protection adviser at international law firm Taylor Wessing, has reservations. Max Schrems is now challenging the European Commission (EC) adequacy decision that underpins the use of these clauses, in a case that may escalate to the European Court of Justice after the Irish High Court hearings in February.
“If the EC decision validating the use of model clauses is invalidated, this will lead to further uncertainty for legal data flows of personal data previously made in reliance of approved contractual clauses," Annereau says.
The Canadian perspective
While the EU and the U.K. consider their futures in a shifting privacy landscape, Canada must weigh its own. The country has long enjoyed a finding of adequacy with the EU, enabling the easy transfer of data. Recently, it has issued a public consultation on consent provisions in its own Personal Information Protection and Electronic Documents Act (PIPEDA), an old law that was recently updated by the Digital Privacy Act, signed in June 2015.
“It was not sufficient and they weren't far-sighted enough,” Cavoukian says. “Now that the EU law has been strengthened with the raising of the bar in the GDPR, that's in question and we have to strengthen PIPEDA.”
Canada's Federal Privacy Commissioner is now considering the U.S. government's Executive Order, which Geist says puts Canadian data at risk. “The concerns for Canadians – indeed anyone other than EU member states – remain significant,” he says.
As all this develops, Deloitte's Gooch points to the rise of data sovereignty laws in countries ranging from Russia to China and beyond. Australia also has data sovereignty laws that restrict how data can be exported, as does Indonesia. Where does this leave us? Gooch argues that regardless of regulation, the demand for privacy is strong.
“The perception of privacy as a fundamental right for individuals has gathered a lot more traction in the last five to 10 years,” he says, adding that the increase in personal data produced and held by digital services has been a driving factor. “Society is demanding this level of privacy as a starting point.”
The demand may be there, but Woodham worries about the erosion of harmonized privacy laws and what it may mean for privacy as a concept. “We're going in the wrong direction in terms of aligning European legislation and standards globally,” he says. “If anything, with Trump, the gap is widening.”