A large portion of the backlash from the Cambridge Analytica (CA) saga, at least in the Privacy world, has been the focus on US privacy governance, or as the EU pointed out, lack of it. This has been a thorn in the side of the EU for some time, with notable events in the transatlantic relationship being: the moving away from traditional Model Contract Clauses (MCCs); the creation of the Safe Harbor Agreement; (even more notable) the overturning of Safe Harbor due to the Max Schrems v Facebook case; the creation of Privacy Shield; and potential overturn of MCCs through the Irish Courts (again, due to Facebook). For comparison’s sake other countries outside the EEA have not had such a hard time of it, and have the choice or Binding Corporate Rules (if eligible), MCCs, or getting an adequacy decision as a country (such as Israel, New Zealand, Switzerland, Uruguay, etc.).
Schrems, the privacy campaigner who had the Safe Harbor Agreement overturned, and now has his sights set on MCCs, seems to be feeling vindicated since Facebook were implicated in CA’s misuse of data. Schrems is reportedly ready to file more lawsuits to try and force stricter privacy laws for the US, which will no doubt be taken slightly more to heart by Facebook this time round (especially now that the hope of a class action lawsuit costing a serious amount of money has been abated). Other major players are also increasingly vocally concerned, such as Sophie in’t Veld a member of the EU Parliament, and Vera Jourova the EU Justice Commissioner. Both are calling this a wake-up call for Europe to ensure that their citizens data is protected in the US, beyond mere lip service.
Let’s look at the journey the US (and Facebook) has taken with EU privacy laws, their validity today, and the future of the Privacy Shield arrangement.
Binding Corporate Rules BCRs are for multinational corporations, international organizations, and groups of companies who pass or otherwise process EEA citizen or individuals who live in the EEA’s data outside of the EEA. Binding corporate rules are internal rules for data transfers an organisation, like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection and must be signed off by a data protection authority, such as the Information Commissioner’s Office (ICO) or other equivalents within the EEA.
These have been around since the Article 29 Working Party birthed them in 2003, but so far according to the European Commission’s website only 88 have been set up and signed off. This is an indication of how popular these are considering the sheer number of companies who would be eligible for it as they share data across EEA borders within their organisations and subsidiaries. The low take up could be due to the process being difficult, the standard of sign off being high, or low awareness. Considering that many of the eligible organisations have very knowledgeable lawyers and information management professionals I would posit it is one of the first two. Facebook do not have a BCR, but this would validate the data transfers within the Group and solve a number of their issues. This is unlikely going to be a path Facebook follow as it would need to be signed off by either the ICO or by the Data Protection Commissioner in Ireland. The process would mean their internal practices would be under significant scrutiny, at the end of which they may not meet the standard, and to boot the outputs of this scrutiny up for grabs under the Freedom of Information Act (exemptions non-withstanding). If Facebook do go for this option, I will eat my hat. However for other US multinational companies who are eligible for it, it is an option worth exploring as once achieved it’s smooth sailing as far as internal international data processing goes.
Model Contract Clauses MCCs are for any organisation outside of the EEA wanting to process European data for a company within the EEA. They’re usually an annex to a Data Processing Agreement, and are unfortunately an afterthought and blocker to procurement processes which includes any international organisation (‘if only they’d gotten Privacy involved right at the start!’ with likely be etched onto my tombstone as most said phrase). If initiated at the beginning of a procurement process, and privacy and security provisions are included in the tendering process MCCs are relatively pain-free. They only become painful when a non-compliant organisation wins a tender as privacy and security were not considered beforehand.
Max Schrems has semi-recently brought the case that MCCs just won’t cut it when it comes to transferring EEA data to the US to the Irish High Court, who have decided that they weren’t really the ones to decide on it (that honour will be the Court of Justice of the European Union). It is highly likely that the CJEU will invalidate MCCs for transatlantic transfers as the Irish High Court found that the concerns were ‘well founded’ due to the MCCs not offering any remedial action for rights abuses through the US courts. This is especially important considering the indiscriminate mass surveillance operations underway by the US government. Any MCCs with the US which are currently active are still valid, however I wouldn’t advise signing any more as a basis of a contract as a US company as they could be (and are likely to be) invalidated quite soon. As Facebook are relying on MCCs it is likely to add fuel to the fire for both MCCs as a concept and Facebook’s position in the CA debacle as it has been known that the clauses are on shaky ground for over a year.
The elephant in the room when discussing the validity of any agreement or contract with the US is the ‘massive and indiscriminate’ surveillance undertaken by the US government which has been the reason in the past and will likely be the reason in the future for the invalidation of transfer agreements. The 29 Working Party has repeatedly stated that such surveillance is not compatible with EU law and that where state authorities access to information goes beyond what is necessary in a democratic society, such countries and territories will not be deemed safe places for transfers or processing of EU data.
Overall the blood is in the water for MCCs (but not their more difficult cousins BCRs!). Both the US and more specifically Facebook must utilise stricter privacy controls and governance if they want to be competitive in the more privacy aware EU market. US companies, especially tech companies, are losing out on contracts due to this issue, and will be losing out on more as GDPR comes in and EU companies review their data processor agreement contracts and 3rd party supplier lists.
The next post will focus on the subject of (the late) Safe Harbor Agreement, Privacy Shield, and the future of transatlantic data processing.
Data Protection has recently come back into the public consciousness in a way it hasn’t done since the Talk Talk breach, and unusually it’s not for a security breach but a breach of legal processing, which rarely captures the public’s attention. Let’s look in detail where it went wrong in relation to the Data Protection Act and the upcoming General Data Protection Regulation.
Cambridge Analytica (CA) were in breach of Principle 1 of the Data Protection Act (DPA) due to not having a legal basis for processing. CA may insist that they had the consent of the data subjects, however this consent was clearly not informed and freely given considering that users thought it was for a fun personality quiz called ‘thisisyourdigitallife’. If the quiz’s fair processing notice had followed the ICO’s guidance the user would have real choice and control (and for this you need to be informed), a positive opt in such as a tick box (especially for sharing with third parties such as CA), have named any third parties who may receive the information (meaning CA should have been specifically named), and the consent should be freely given by the data subjects.
This is a trend in apps, especially third party apps which link to social media, that their fair processing notices are not appropriately transparent and often don’t come close to the standards of the DPA and the ICO’s recommendations. Under GDPR the requirements written into legislation are more specific, and so it will be easier to prosecute those who are clearly being vague in order to gain consent. In the instance of CA this shouldn’t be a problem for prosecution as the end use is so distant from those initially stated, that it breaches Principle Two of the DPA - i.e. that organisations must detail specifically why they need the data, and must not process it further for different purposes. Not only did ‘thisisyourdigitallife’ not have an appropriate condition for processing, as their consent wasn’t compliant, the data was also sent to an undisclosed third party (CA) for a completely separate purpose from Aleksandr Kogan and Global Science Research.
To add insult to injury, data subjects were not just providing ‘consent’ for their data to be processed, they were giving consent for some of their friends as well. As people can’t give consent on behalf of others (unless they are legally responsible for them), this is also a breach of Principle One. it is clear that the majority of the data was collected from scraping users' friends' profiles, as only 270,000 people took the quiz but data was collected from around 5 million individuals via the quiz's functionality which also looked at friend's profiles. Some may argue that as their friend’s privacy settings were not set to private, that these people were open for having their data scraped. This may be true on an open platform like Twitter, but most people on Facebook who have ‘open’ profiles have done so by mistake, due to the nature of Facebook's default settings. It is public largely by accident, not on purpose. This brings the Right to Privacy in the Human Rights Act into play if it were brought to court, on top of the other transgressions.
Direct Marketing is defined in the DPA as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”, this doesn’t only cover selling items, but the marketing of ideals and covers political campaigns. Although highly targeted campaigns through Facebook and other social media sites have not yet come into scope from the ICO and other legislators as direct marketing, the more personalised it gets, the more likely it is to come into scope. Technically if the definition is taken at face value, these types of adverts should already be in scope. Once marketing and advertising is defined as direct marketing it comes under much more stringent governance processes, which arguably the issues with data usage by CA have shown to be necessary.
In breach of Principle Five of the DPA, retaining data for longer than the purposes you obtained it for, CA have held onto the data from the Facebook, who here are the original Data Controller, after they had been told to delete the data, and after they have confirmed they had done so. Attempting to get a streak of as many of the 8 Data Protection Principles contravened as possible, there is also a case that Principle Four ‘Personal data shall be accurate’ has also been contravened, with their assertion that they put forward knowingly inaccurate smear campaigns (discovered through the Channel 4 sting). However the slander and libel laws are much better established for this purpose, and so it is unlikely a Principle Four contravention will be pursued as much as the others.
Under the DPA, considering they are prosecuted under this and not the GDPR, they will be in contravention of Section 55 of the DPA, especially as they did not have the consent of Facebook:
“A person must not knowingly or recklessly, without the consent of the data controller--
(a)obtain or disclose personal data or the information contained in personal data, or
(b)procure the disclosure to another person of the information contained in personal data”.
This is a criminal offence which can attract a personal fine as well as a fine for the person’s company, however it is much more likely that only the company will be pursued, rather than individuals. Data subjects could also press for damages for causing distress on top of the personal and company fines, with potentially five million data subjects with a legitimate case.
Considering their contraventions, the ICO are interested in CA and their practices. CA have been given a deadline to respond to the ICO’s request for access to their servers, a request which passed with no access given. The ICO are now having to apply for a warrant to access these servers, the delay in being able to raid will no doubt hinder the investigation significantly, but the evidence will also be on Facebook and so they won’t be able to scrub the evidence of wrong doing away, only attempt to defend it.
Overall, it has been a catalogue of errors, with CA seemingly ignoring any legislation which protects people’s privacy in order to reach their desired goal.