The Exponential Problems Created By Cross-Border Data Movement

Editor’s Note: The author of this post is a former prosecutor who works for a mobile software device company.

By Stephen Treglia, Legal Counsel & HIPAA Compliance Officer for Investigations, Absolute Software Corporation

For much of the history of privacy law and regulation throughout the world, the level and severity of these rules have been confined to the boundaries of the individual countries that created them. As digital data has evolved over the last generation to effortlessly cross geographic boundaries, new legal solutions are also evolving. Add to this equation the ability of mobile devices to physically and easily move personally sensitive data from one country to the next, the legal problems multiply exponentially.

What this potentially means is that a country that has minimal or even no data privacy protection laws may be subject to the data privacy laws of other nations that require a higher level of security.

Origins of modern privacy laws

The origins of modern privacy legislation can be traced to the passage of the Bill of Rights by the United States Congress in 1789. The Bill ultimately resulted in the creation of the first ten Amendments to the U.S. Constitution, which had only come into existence two years earlier.

What routinely became called the “Fourth Amendment” instituted a prohibition against unreasonable law enforcement searches and seizures of persons and property unless a magistrate-issued warrant specifically describes the place to be searched and the person and property to be seized. This concept, which was developed by what has been described as the “Founding Fathers of America,” was based on the notion that a “man’s home is his castle.” The Fourth Amendment was specifically created in response to the British practice, prior to the Revolutionary War for American Independence, of invading the homes of then American colonists unannounced to conduct warrantless searches and seizures.

It wasn’t until 150 years later, however, that this right against unreasonable searches and seizures was truly recognized as being the foundation of modern privacy rights. The esteemed Supreme Court Justice Louis D. Brandeis, who is sometimes called the “Father of Modern Privacy,” is credited with coining the phrase that the Fourth Amendment created a “right to be let alone” in his dissent inOlmstead v. United States, 277 U.S. 428 (1928). (Although he was not the first judge to make this observation.) Over the nearly 90 years that have followed, this “right to privacy” has evolved to become a cornerstone of American protections, even though neither the U.S. Constitution nor any of its subsequent Amendments ever makes any mention of the word “privacy”.

Privacy rules evolve elsewhere

Other countries have likewise evolved their respective legal right to privacy, in some nations to even higher levels than currently exist in the United States and to a lesser extent in others. With personal and private data existing in modern society in multiple geographical jurisdictions simultaneously, governments have only recently begun to address the issue of whose law controls, with some interesting results.

The extension of privacy rules to other countries

For example, in April of 2015, the U.S. Federal Communication Commission fined AT&T $25 million for the unauthorized disclosure of the names, partial Social Security numbers, and other personal information of nearly 280,000 American citizens. What makes this case particularly interesting is that this disclosure did not occur in the United States, but at AT&T’s “call centers” in Mexico, Colombia and the Philippines. Hence, even though no data breach occurred in the U.S., the FCC used its authority over an American company to protect the loss of private data of American citizens occurring in other countries.

Six months later, the highest European Union Court ruled that the “Safe Harbor Agreement” between the E.U. and U.S. entered into in 2000 is now invalid. To truly appreciate the significance of this, it is necessary to understand a little about E.U. privacy law.

In 1995, the E.U. Parliament passed the Data Privacy Directive which regulates the processing, possession and transfer of data regarding E.U. citizens. The Directive is not a mandatory requirement to be explicitly followed by each of the E.U.’s 28-member countries. Instead, it is merely a recommended blueprint of how privacy laws and rules should be enacted by each member country. Therefore, there is a wide range in the levels of data protection from one E.U. country to the next.

In order for data promoting commerce to flow more freely with the U.S., a process was established to avoid American companies having to prove compliance with each and every E.U. member’s individual set of privacy laws. Hence, the creation of the Safe Harbor Agreement in 2000. An American entity seeking Safe Harbor could “self-certify” to the U.S. Department of Commerce that it was in compliance with all 28 E.U. countries’ privacy rules. This created what has been referred to as a “one-stop shop” which greatly simplified the ability for American companies to conduct business in the E.U.

In 2014, Maximillian Schrems, an Austrian citizen, filed a complaint with the Irish Privacy Commissioner challenging the privacy of his personal data maintained by Facebook. (Ireland is the location of Facebook’s European subsidiary.) He alleged that the personal data he shared with Facebook in Ireland, as well as the personal data of other European users, is transferred to Facebook’s servers in America. As a result of Edward Snowden’s revelations in 2013 of the U.S. National Security Agency’s massive collection of personal data stored on public media sites, including Facebook, he claimed the self-certification process afforded by American companies did not reliably protects E.U. citizens’ privacy.

The Irish Court transferred the case to the Court of Justice of the European Union, which, on October 6, 2015, issued an opinion agreeing with Schrems and invalidated the Safe Harbor Agreement between the E.U. and U.S. Since then, Israel and Switzerland unilaterally invalidated their agreements with the U.S. (Israel and Switzerland had voluntarily followed the E.U.-U.S. Safe Harbor Agreement despite not being part of the E.U.)

This means U.S. companies will have to prove compliance with the privacy laws of each of these countries to continue business there. It has been reported that the Data Privacy Commissioners of each of the E.U. member countries will begin evaluating compliance with their respective privacy laws by American businesses by the end of January, 2016.

There are alternative means of compliance already available to foreign companies seeking to do business in the E.U. while seeking to maintain adequate privacy requirements, such as “model contract clauses” and “binding corporate rules.” For various reasons, however, these are not easy or quick fixes. Moreover, neither of these options is suitable for every kind of business endeavor. While a new Safe Harbor Agreement is in the works, its creation has not gone yet as smoothly as originally hoped and may not be in place by the end of January.

Future issues

An added piece to the jigsaw puzzle was added in December of 2015, when the European Commission and the E.U. Parliament and Council finally agreed on a long-awaited Data Protection Directive. Nearly four years in the making, it is now pending formal adoption by the Parliament before it is sent to each of the E.U. member countries for consideration.

One noteworthy aspect is that the Directive currently only applies to companies that have a physical presence in an E.U. country. The Regulation, instead, will apply to all entities that “do business” in an E.U. country, meaning these privacy laws will also apply to all solely online companies that have E.U. customers. Failure to comply could result in a fine equal of up to 4% of the company’s gross world revenues. The directive will also implement breach notification and the right to be forgotten requirements.

Conclusion

It is imperative that companies world-wide begin investing in security measures that will keep their customers’ data secure at the highest level of legal requirements. Residing in a country of little or no data privacy protection may soon no longer be that company’s “Safe Harbor.”