With the dissolution of Safe Harbor and the ensuing agreement that is the EU-U.S. Privacy Shield framework, the landscape surrounding data transfers and the privacy of international data has taken an evolutionary step. Though Privacy Shield is not the revolutionary and sweeping legislation that will follow when the European Union General Data Protection Regulation (GDPR) is enacted in the coming years, it does provide more concise and defined rules surrounding the privacy of EU citizens. One of the primary concerns in any privacy discussion is that of reasonable access to data retained about an individual. Though Privacy Shield adds clarification to Safe Harbor policies, changes to the language surrounding both an individual’s access to data collected about him or her, as well as how this data will be used create the need to revisit this topic. To truly understand what the risk factors are around this access, we need to understand the pillars of the updated principle of access as it is outlined in Privacy Shield.
Individuals must have access
The most important part of any discussion surrounding data collected about an individual is having a clear framework to ensure that he or she can access that information. While this seems straightforward, and was a cornerstone of Safe Harbor, it is a bit more involved than you might think. This is not simply a conversation about handling consumer information, but instead one of an inherent right similar to free speech in the United States. When designing systems that store and process information about individuals, the ability to respond to these access requests must be a primary consideration.
Individuals must be able to correct data
In addition to ensuring that data is available upon request, Privacy Shield requires that individuals have the option to “correct, amend, or delete that information where it is inaccurate, or has been processed in violation” of the principles set forth in the Privacy Shield framework. This right to correct and remove data is vital to understanding the European mindset surrounding an individual’s privacy. The battle over the right to be forgotten is currently embroiling international players (such as Google), and the implementation of Privacy Shield and the GDPR is a step toward defending that right.
Requests can be refused
There are, of course, provisions built into Privacy Shield to refuse access requests in certain situations. In fact, the provisions are so similar to the ones in Safe Harbor that some have criticized limited improvements made around both private and institutional access to data. The Article 29 Working Party directly addresses this in its opinion, which attempts to redefine the concept of storing data in Privacy Shield so the meaning of “storage” actually includes “processing” with regard to any organization handling personal information. A major expansion to the concept of storage under Safe Harbor, this expanded definition will drastically change the amount of information that would be considered private and require individual access. This definition, however, also makes the conversation surrounding data surveillance more complicated for reasons I’ll explain later in this post.
Where is the risk?
Since the Snowden leak, there has been a significant concern in the EU surrounding the privacy of individuals’ information once it has been transferred to the US. In particular, European data protection authorities are concerned about risks associated with surveillance programs. In the words of the Article 29 Working Party, “any interference with the fundamental rights to private life and data protection need to be justifiable in a democratic society.” This is what underscores the risk that was seen in the Safe Harbor agreement and still, to a lesser extent, exists in Privacy Shield. The idea that privacy is a fundamental right inherent to all is vital to the success of the new agreement as well as any future governing agreements. Limiting access to private data by governments and the intelligence communities is key to limiting risk and ensuring that private data in fact remains private.
How do we reduce risk?
Understanding access and the associated risks allow us to address them directly. While it may never be possible to completely restrict access to personal data and ensure it remains private, updates to existing rules and regulations, such as the changes made in Privacy Shield, move us closer to that idealized goal. Recommendations based on the understanding that these new regulations are made in good faith to increase transparency are the best place to start. These recommendations should:
- Be seen as essential guarantees
- Include processing in accordance with the law
- Ensure that legitimate objectives are pursued and independent oversight mechanisms exist
- Make effective remedies available to individuals
While the new Privacy Shield framework is far from a perfect solution, it should be seen as a stepping stone on the way to the comprehensive changes that are coming in the GDPR. Ensuring that your organization brings privacy policies and systems in line with the new agreement will be the first step in preparing for the changes ahead. I recommend you
- Make sure that you know what data you have
- Make sure that you are able to report on that data
- Make sure that you can correct information kept in your records
Discovery and classification will be the key to keeping this data organized and ensuring compliance with this ever changing landscape. Taking proactive steps toward classification will see you prepared for new rules once they are implemented, prepare you for future changes to the privacy framework, and create a new level of trust with your employees and customers.
For more information about how to prepare for the Privacy Shield framework, get your EU-US Privacy Shield Guide today!