2015 proved to be another banner year for data privacy issues and 2016 is looking to be no different. In my International Data Privacy post last year, I predicted that 2015 would be the year for privacy. While that prediction has partially been vindicated, the steam roller continues to push forward for 2016 with no sign of abating.
The biggest news of the year was the success of Austrian Max Schrem in the European Court of Justice. The invalidation of the E.U.-U.S. Safe Harbor agreement on the basis that U.S. law enforcement access to personal data through U.S. companies wasn’t following appropriate safeguards, has sent shock waves through the corporate world. The ramifications of this decision are still being felt. Many multi-national companies moved swiftly to convert from reliance on the E.U.-U.S. agreement towards Standard Contractual Clauses controlling data flows outside the E.E.A (European Economic Area). The Department of Commerce has been working with European officials on a Safe Harbor 2.0. Unfortunately, for both efforts, the underlying argument in the Schrem case, that U.S. law enforcement and intelligence agencies have access to European data without appropriate legal safeguards in place, remains. In other words, without changes to U.S. law, any new Safe Harbor and the existing method of using Standard Contractual Clauses could be challenged and invalidated as well.
Relief may come in the form of the General Data Protection Regulation (GDPR), set to come into law in 2016 with full effect coming two years later in 2018. Unlike the current situation where methods of transfer to countries outside the E.E.A. are authorized through proclamations of the Article 29 Working Party, the GDPR will specify, in law, which methods (such as Binding Corporate Rules) are sufficient legal transfer mechanisms. This is significant because the court opinion in the Schrem’s case said that the Data Protection Authority needed to investigate claims that information flowing to the U.S. were not protected regardless of the parties’ use of the Safe Harbor agreement. Codifying transfer mechanisms in law would permit a prima facie argument that the transfer was legally sufficient to protect data.
2015 also showed us that it wasn’t just large multi-nationals that suffered from huge data privacy breaches. The Ashley Madison breach which exposed the personal details of over 30 million customers (along with proprietary information about the company’s operations) was symptomatic of a larger problem. Many smaller companies lack the resources to address privacy and security issues. When they scale up their culture (focused on service delivery), their business and technology doesn’t always scale to deal with those security and privacy threats. In this case, they will ultimately have problems — be they from hackers (such as in the Ashley Madison case) or from regulators (see FTC versus SnapChat). There is no easy solution but start-ups must start taking privacy and security into account when designing their products or they are doomed to face failure. Both U.S. regulators and the European’s have called for privacy-by-design.
There are two large areas to watch which will have a significant impact on privacy in 2016. The first is the global debate on encryption. Dubbed the “Crypto Wars II”, this is essentially a redux of the original Crypto War debate which pitted industry and individual interest in having strong secure cryptography and government interest in being able to intercept all communications with appropriate legal authority. The U.S. government lost the debate in the 1990s essentially because the “cat was out of the bag” in terms of the technology already being in the hands of companies and individuals. But as with any debate, there are renewed challenges from those who would like to try and put the cat back in the bag (or genie in the bottle if you prefer a different analogy). With every attack comes renewed calls for government authority to access encrypted information despite hard evidence that this is a significant impediment. Law enforcement officials refer to the notion that their ability to conduct lawful surveillance is “going dark” meaning they are no longer able to peer into the communications and conversations of the criminals.
By all accounts though we are living in a “Golden Age of Surveillance.” Ask any law enforcement agent whether they would rather have the tools of today or 50 years ago and you’re sure to get a nod towards today’s technology. The question which is lost on the absolutists in the argument is one of balancing the risks and the rewards. The question society must determine is whether individual protection from crime outweighs prosecution of criminals: the risks of using weakened encryption to facilitate easier law enforcement against the rewards of a stronger more secure society using strong cryptography. Notice I said easier, not perfect. Law enforcement still has other methods at its disposal. Rarely is the communications the crime, but merely a tool, like a getaway car.
The Europeans are not much further along that the U.S. in coming to a consensus (the United Kingdom leaning one way and France leaning another). However, they do understand that spreading data across the ocean increases opportunities for privacy invasions. This leads to the second major area to watch in 2016. As companies prepare for the adoption of the GDPR, they are realizing that the best solution maybe the “Europeanization” of their services. This means not only storing and processing data of E.U. members in the E.E.A. but also operating support and management staff in Europe. Microsoft was a first mover in this space but others, especially those with large European clientele, are sure to follow. Other solutions such as customer held encryption keys may help customers keep control over their data.
Whatever the future holds, 2016 is looking to be another wild roller coaster ride for privacy and data protection. Be sure to keep your hands and feet inside at all times!