Arachnys on ComplianceThe following article by Paul May of Arachnys was published on 15 Aug 2016 in Privacy Shield

2016 has been a fruitful year for changes to EU legislation, but this is not set to end anytime soon. Governance on the content is in a tremendous state of flux. In October 2015, the Court of Justice of the European Union made an unprecedented declaration to throw out Safe Harbor, as a framework for the transfer of personal data from the European Union to the U.S. As of 12th July, a new framework has been adopted: ‘Privacy Shield’.

However, whilst Privacy Shield does contain some notable changes which have progress from the Safe Harbour legislation, it is possible that it will suffer the same fate as its predecessor. Whilst this future is still in doubt, how should companies consider whether this is the right time for certification?

What are the major differences between Safe Harbour and Privacy Shield?

Like Safe Harbour, the new safeguards include seven main ‘principles’ (with 16 supplementary ones), including  (1) notice (2) choice (3) accountability for onward transfer (4) security (5) data integrity & purpose limitation (6) access (7) recourse.

However, these are only principles. The meaningful changes are:

Regular ‘reviews’ by the U.S. Department of Commerce on compliance. There is a new ‘supervision mechanism’, where in the FTC provide oversight and sanctions to companies that don’t comply, as well removal from the approved list of ‘Privacy Shield companies.

A new ombudsman: Independent from U.S. National Security services, EU citizens can direct complaints and queries to the new data ombudsman. The U.S. Director of National Intelligence, James R. Clapper, has promised that ‘indiscriminate mass surveillance’ on data transferred under the Privacy Shield will be ceased, with ‘specific preconditions’  (this promise is extremely problematic, as we’ll discuss later).

Notice: A public privacy policy must be published by a company before requesting Privacy Shield access. This ensures that there is a public record of the policy, and that any action taken by the company which is inconsistent with their previous policy can be flagged by citizens and raised with the FTC.

Choice: A citizen must have a legal opt-out option if at any point they believe a company’s use of their data to be inappropriate.

What do these new provisions mean for companies?

In practice, this means a new certification process for companies which require accreditation under Safe Harbour. The self-certification process began on 1st August 2016, and requires annual recertification. The US DoC has provided a guide to self-certification, which details the commitment to the privacy principles such as ‘notice, choice, access and accountability for onward transfer’. When the company’s privacy policy is written – ensuring that it conforms to the standards, has included public recourse and verification mechanisms – the company must put in place a single designated contact designated to handling Privacy Shield compliance. Companies must apply notice and choice to any third party acting as an agent when handling the data too. Between 1st August and 1st October this year, companies will have up to 9 months (from the date of their certification) to bring any existing commercial contracts (third parties included) into conformity with these rules.

Principles, but what oversight? What are the penalties of non-compliance?

Should there be any active recourse from an EU citizen about an organisation’s use of their data, the organisation will have to respond within 45 days, whereupon an independent body must be designated by the company to handle the dispute. This body could be from the EU or the US. The caveat here, is of course, that an independent U.S. body might be more lenient to a U.S. based company – but one can only speculate.

The U.S. Federal Trade Commission will enforce compliance with Privacy Shield, along with the Department of Transportation. Edith Ramirez, chair of the FTC, has promised to be responsive to claims from EU data protection authorities and NGOs, but released only the briefest response to the legislation: “The FTC has a strong track record of protecting consumer privacy, and we will remain vigilant as we enforce the new framework. We will also continue to work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.”

In the Agreement itself, however, the FTC provides more details on fines and punishments: up to $16,000 per violation, or $16,000 per day for continuing violation, which in the case of practises affecting many consumers  will amount to millions of dollars. As an example, Google were made to pay a $22.5 million penalty by the FTC to ‘resolve’ allegations of poor regulatory compliance.

Steve Wood, of the Information Commissioner’s Office provides a clear explanation of the risks of avoiding Privacy Shield by continuing with policies which adhered only to Safe Harbour:

“Any transfers that continue solely under the Safe Harbour framework will breach the eighth data protection principle, and there could be circumstances where we would contemplate enforcement action, in line with the ICO enforcement policies.  Of course, we appreciate that organisations will need time to make the relevant changes, but the key is not to delay.”

In the UK, the Data protection Act 1998 offers a somewhat less substantial amount of oversight for citizens, but penalties can be made of up to £500,000 by the Information Commissioner’s Office for a data breach (it was increased from £50,000 in 2010. ICO must have realised multinationals have deeper pockets).

If there is increased vigilance, how can companies ensure greater privacy compliance?

As the cost of compliance staff increases (according to this Reuters report), companies will be wondering whether Privacy Shield certification is worthwhile. However, the cost of maintaining privacy compliance is not nearly as high as non-compliance. Along with PCI compliance (designed to ensure credit card infomation is stored securely), there is an increased impetus to ensure customer data is stored privately and safely. Understandably, there has been a rush to recommend customer identity and access management (CIAM) technology to ensure compliance with domestic and international regulations.

Industry advice has been all too frequently given by the suppliers of this software, amounting to little more than veiled press releases in industry magazines which do well to market their services but have done little to assist professionals faced with the core challenge of assessing whether to obtain Privacy Shield certification; the timeline to adopt; or, the likelihood of the legislation persisting.

Moreover, these practices have tremendous limitations for KYC: managed solutions such as these ignore the benefits of manual curation, and can only go so far. Forrester Research provided an industry overview comparing CIAM solutions for KYC and introduced a Customer IAM Security Maturity Assessment model, which needs to be updated in line with Privacy Shield Requirements. IAM solutions and privacy often run in different directions – as Andras Cser and Merritt Maxim of Forrester suggest: ‘the network perimeter is all but gone and identity is the new perimeter.’ Inevitably, if access is governed by identity, which must be disclosed at all times, privacy protection is becomes marginal.

Is certification worthwhile whilst Privacy Shield could suffer the same fate as Safe Harbour?

The cost of privacy compliance is reduced if companies certify with Privacy Shield, as long as the new legislation is permanent. However, there are numerous indicators that suggest Privacy Shield could be repealed for the same reasons as Safe Harbour.

The bulk of the reasoning surrounds insufficient oversight and consumer privacy: the same reasoning for which Safe Harbour was overhauled in the first place. Many digital rights organisations (who directly led to the pressure placed on the EU for a repeal of Safe Harbour), have already indicated that Privacy Shield is only a very incremental step forward for consumer privacy. The Commission itself took this under serious consideration before the ruling, evidenced in its own reports.  After the final drafting of Privacy Shield was leaked online by Politico in June, many other advocacy groups have commented to add their deepening concern. Privacy International, a London-based advocacy group for digital privacy, have listed four key concerns with Privacy Shield, summarised here:

1) It is an ‘entirely opaque document’, containing ‘a collection of commitments’ and explanatory notes’ with little description or ‘guarantees provided to the protection of personal data and how they would apply in practice’.

2) the accountability of onward transfer and limitation/deletion of personal data is an improvement but falls well short of what is expected by advocacy groups.

3) An absence of legal protections – particularly for US intelligence agencies – and the U.S. government is arguing that it ‘can collect all communications to and from a region of the world if the use of specific selector is not possible’.

4) The ombudsperson is totally underpowered, lacking independence from the executive [a crucial component of ombudmanship] as she/he reports to the Secretary of State, and has little to know powers of redress – in paragraph 4 (e) of Annex III it states that the ombudsperson ‘will neither confirm nor deny whether an individual has been targeted by surveillance’.

The first draft was severely criticised by the European Parliament, the European Data Protection Supervisor, and the European Ombudsman. Moreover, EDRI, an EU privacy watchdog concurs that Privacy Shield is not a step forward for consumer privacy whatsoever:

“We have ‘bulk data’ that we are told is not bulk data, we have an ‘ombudsman’ who is not an ombudsman, we have redress that is not redress.’

Erstwhile, both Privacy International and EDRi have expressed some support for the EU’s GDPR and e-Privacy directive revisions as ‘the best possible outcome in the current political scenario’, whilst warning that it contains ‘loopholes’ that need to be fixed. Despite having been adopted in 2002, the e-Privacy directive is only being updated now, and a coalition of companies and ‘innovation partners’ have come together to repeal it, on the grounds that ‘simplifying and streamlining regulation’… ‘will benefit consumers by ensuring they are provided with a simple, consistent and meaningful set of rules designed to protect their personal data’, whilst encouraging ‘innovation across the digital value chain’. Privacy International are understandably distrustful given the vague provision of ‘choice’ as a means of privacy protection: ‘when a coalition of tech and telecom industries call for a relatively obscure EU directive to be repealed’… ‘then maybe there is something worthwhile fighting for in it’.

A Germany data protection authority, Johannes Caspar, is already suggesting they are going to challenge the Court of Justice’s decision to make the deal – the very court which declared Safe Harbour inadequate. And the Committee, responsible for advising the EU on data protection, th  Article 29 Working Party (WP29), announced on July 26th that they had several problems with the new legislation, though they will wait to raise objection until they have evaluated the performance of the legislation for one year. As a result, there will be tremendous scrutiny on the companies who do certify to see if they adhere to their approved privacy policies.

‘Wait and See’

Privacy Shield may yet be panned like Safe Harbour. This would vindicate the ‘wait-and-see’ approach taken by many companies, in lieu of a wider set of proposals based on the GDPR (General Data Protection Regulation). The cost of compliance could be mitigated by using standard contractual clauses (SCCs) instead of obtaining Privacy Shield Certification. However, this comes with its own challenges – SCCs can be challenged, slowing down their use, and they must be implemented on behalf of each and every data exporter in the EU. Several high-profile companies, including Microsoft, have already announced their desire to comply with Privacy Shield as it reduces the cost of the paperwork necessary to comply. But Microsoft has a vast integration with personal data, and a global reach – most companies should undertake a rigorous cost-benefit analysis before considering certification.
For UK businesses which deal in EU citizen’s data, it may be ever more sensible to wait to see the outcomes. The British government may be unable to renegotiate single market access, however unlikely. Should Britain have EEA access to the single market, the EEA has its own court for these matters (which does not consider human rights in its decisions). Either way, if Britain does retain single market access, it will likely have to adopt its own version of Privacy Shield to ensure the protection of rights of EU customers.

Source: Arachnys