The Digital Post speaks with FTC Commissioner Julie Brill about the new ‘Safe Harbour’, the implications of the EU privacy reform, and privacy issues arising from the boom of the Internet of Thing.
The Digital Post: The European Union and the United States of America have reached an agreement on a new Safe Harbour data treaty. What are in your view the main achievements of the deal? What would have been the concrete risks if an agreement weren’t signed?
Julie Brill: The main achievement of Privacy Shield is that it provides strong privacy protections for European consumers and creates a framework for more parties to engage in active supervision and stronger enforcement cooperation. With respect to commercial data practices, Privacy Shield will provide stronger privacy protections than Safe Harbor did – through beefed up onward transfer requirements, and in other ways.
Privacy Shield will also establish more active supervision of the program in practice, so that the Department of Commerce, the European Commission, European data protection authorities (DPAs), and the FTC can detect and address any issues that come up. Privacy Shield will also provide a well-defined process for consumers to complain about the data practices of Privacy Shield companies.
The FTC will remain committed to giving priority to complaint referrals from DPAs, and there will be a better process in place for following up on these complaints. And even in the absence of referrals from DPAs, the FTC will continue to aggressively look for violations of the Privacy Shield principles.
Finally, in the area of national security, the United States agreed to take the unprecedented step of designating an ombudsperson to take complaints about surveillance activities that relate to Privacy Shield. This is in addition to the significant reforms that Congress and President Obama have made to surveillance practices in the past few years.
The risks if Privacy Shield hadn’t been agreed upon would have been that consumers and businesses would have continued in the limbo in which we currently exist, where some mechanisms to transfer personal data from the EU to the U.S. are still allowed, but they are expensive, opaque, and much more difficult for the FTC to enforce.
Of course, Privacy Shield still has many steps to take before it receives approval. If it were not approved, then companies – particularly small and medium enterprises – would lose out because of the time and resources that they have to put into alternative arrangements for data transfers.
But consumers also would lose out because they would have far less transparency into which companies are handling their data, the rules governing data transfers, and where to go to complain if they believe their rights are not being respected.
TDP: According to some observers, the new agreement won’t be sufficient to meet the concerns of the European Court of Justice. What is your opinion?
JB: It’s important to remember that the CJEU’s Schrems decision did not address national security surveillance practices in the United States. Rather, the case was based on the court’s concern that the European Commission’s adequacy decision in the year 2000 did not address U.S. privacy protections relating to national security surveillance.
It is hard to say how the CJEU would have assessed a full, accurate record concerning surveillance practices and privacy protections in the United States, had those facts been before the court. In any event, the U.S. has enacted significant reforms since the Schrems case was referred to the CJEU, and the U.S. is making further commitments through Privacy Shield.
On the whole, I believe these protections meet the CJEU’s standard of “essential equivalence to the EU legal order”, but we will have to wait to see if Privacy Shield is challenged to know whether the CJEU agrees.
TDP: Is the GDPR going to widen the chasm between EU and US regulatory approaches to data protection? How the FTC is working on this issue?
JB: The GDPR incorporates several provisions that either appeared first in the United States or are by now very familiar to companies and enforcers in the U.S. Examples include a focus on reasonable data security through a continuing process of risk assessment and mitigation, a general security breach notification requirement, heightened protections for children, privacy by design, and a recognition that deidentification can reduce privacy and security risks.
There are some differences between the European and U.S. versions of these provisions, but overall they show how developments in the U.S. can influence the direction that Europe takes.
On the other hand, some provisions of the GDPR move further away from the U.S. approach. A prime example is the GDPR’s right to be forgotten article, which extends to all data controllers. This expansion is a sharp contrast to the very targeted and specific provisions of U.S. law that help individuals keep some information about themselves obscure.
Companies and regulators on both sides of the Atlantic need to start working out answers to the many questions that the GDPR raises. That’s one reason that I think it’s so important for us to move beyond the issues surrounding mechanisms for data transfers that have dominated the discussion for the past several months.
With the announcement of an agreement on Privacy Shield in the past several weeks, I hope we now can begin to discuss the GDPR and issues like big data and the Internet of Things in a more sustained and meaningful way.
TDP: The FTC has been focusing on privacy issues related to the booming sectors of Internet of Things and Big Data. What are the risks? How regulators should deal with this very sensitive issue?
JB: There are important roles for enforcement, policy development, and business and consumer guidance in the Internet of Things and Big Data ecosystems. On the policy and guidance front, the FTC has been taking a close look at the potential benefits and risks of the Internet of Things and big data.
We have hosted public workshops, taken public comments, and written key reports on the broad range of technical and economic concerns that arise from having many more connected devices, huge volumes of personal data, and rapidly improving analytics.
We heard a lot about the exciting possibilities to solve problems in health care, transportation, the environment, education, and other areas; but we also learned about significant risks. Security is a huge challenge with the Internet of Things.
Not only are many devices being offered by companies that do not have long track records with data security, but these devices are also being used in ways that collect highly sensitive information and create physical risks to consumers.
With respect to big data, we found that there is a potential for unfairness or discrimination to enter through biases in data collection and analysis. Some of these issues could get companies into trouble under fair lending, credit reporting, or other laws. Other issues arise in settings that these laws do not cover, but companies still need to be aware of them because they may be deceptive or unfair.
Enforcement also plays an important role in the FTC’s approach. We have already brought enforcement actions relating to privacy and security violations with IoT devices. We have the authority to stop unfair or deceptive practices – whether or not they involve new technologies and business practices – and we will use it in appropriate cases.
Picture Credits: g4ll4is
In the overflow of ongoing debates about security and privacy in Europe, the discussion over an EU wide passenger name record system (PNR) is most telling of Europeans’ data-schizophrenia. But interestingly enough, going beyond the PNR controversy, could also propel Europe into a new era of security, prosperity and privacy.
It’s always a strange feeling, and it happens more often than not within the EU. From the moment you walk into the airport to the moment you exit your arrival terminal, it may happen that no one has asked you at a single time during your journey to show an ID.
You scanned your QR code to access the departure gates, you scanned it again to go through security and then to board, you flew and crossed one or multiple borders, you exited the plane, walked through baggage claim without stopping, and then customs, and you are in another country.No one ever asked you for an ID, and when flying, it is always a strange thought to have that the passenger sitting next to you might not be the person whose name is on the ticket.
Reality, though, is much different. Passenger information collected by airlines is accessible to law enforcement authorities who can ‘pull’ names of suspected terrorists or criminals. But suspects need to already be on a list for the system to work impermeably.
With rising concerns throughout Europe that terror attacks may be the act of EU citizens radicalized and trained abroad, many argue for a system that would allow drawing patterns and pre-empting the worse from happening.
It was in this spirit that an EU-U.S. PNR agreement was adopted as soon as 2007, providing a framework for the transfer of EU air passengers’ personal data to the US authorities. With such a system, airlines ‘push’ passenger information to law enforcement authorities, who are then able to identify ‘unknown’ suspects.
Put bluntly: after analysis of their data (travel dates, itinerary, baggage and payment information, etc.) passengers can become suspects; they get on the list.
Understandably, for security purposes, such a tool can be very useful. It makes sense between allies, and the EU has signed such agreements with Canada and Australia too. It makes even more sense between EU countries; something that has yet to be achieved.
But understandably as well, such tool raises a number of questions when it comes to the type of data collected, the authorities who will have access to it, the duration of retention of the data, and the risks such profiling could present to individual fundamental rights.
In the aftermaths of the Paris terror attacks of January 2015, it made renewed sense in Europe to push for a single EU wide PNR. While member states can perfectly design their own systems – and some already have – such fragmentation defeats the purpose of ensuring the same high level of security and privacy to all EU citizens in all EU countries.
In a resolution that put an end to a long standing stalemate between EU institutions, members of the European Parliament called in February for progress to be made by the Commission and member states on issues related to data retention and data protection, with a view to adopt an EU PNR legislation by the end of the year.
Reform of data protection rules and adoption of a necessary and proportionate PNR system should therefore be done in parallel. Such conditionality is risky on many levels. But it could also give a much awaited boost to discussions in Europe on data retention and data privacy.
In addition, finding the right balance in the EU PNR legislation could prove valuable for negotiations with partner countries. On April 1st, Mexico could have started imposing fines of up to $30,000 per flight to European airlines if it was not given sufficient guarantees that an EU-Mexico PNR agreement would soon see the light of day.
The EU agreed to do so, and the deadline was pushed back to July 1st. Mexico’s muscle flex is not surprising in the current global security context. Other countries, such as Japan and Korea, have asked for the same in past, and could potentially resort to the Mexican precedent.
As it now stands, the debate over PNR in Europe reaches far beyond the borders of the EU. It reaches to the core fundamentals of both individuals and nations: liberty and security. “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety”, cautioned Benjamin Franklin.
Perhaps, but when it comes to personal information, the assumption of an inevitable trade-off between security and privacy should not be the norm.
The mere idea of such a trade-off makes it virtually impossible for policymakers or citizens to move forward constructively.The EU should on the contrary work towards increasing collective security by raising the standards in the protection of privacy. And the parallel discussions over PNR provide an ideal framework to do so before the end of the year.
We still may not know who is really sitting next to us on the plane after that, but someone definitely will.