For 2017, the world’s principal privacy and data protection issues centred once again on the challenges of transferring personal data between the European Union and the United States. As of October 2017, over 2,500 organisations had already certified compliance with the standards of the transatlantic Privacy Shield. While both sides expect the Privacy Shield to survive the EU’s first annual review of the Privacy Shield’s operation, the fate of this limited ‘adequacy’ decision for the United States will ultimately be decided by the Court of Justice of the European Union (CJEU). This is the same tribunal that previously invalidated the US–EU Safe Harbor Framework in a case brought by Austrian student Max Schrems.
In addition to judging the validity of the Privacy Shield, the CJEU will confront the issue of whether standard contractual clauses (also known as model contracts) can properly be used to transfer data to the United States. This issue was referred to the CJEU by the High Court of Ireland following an application made by the Irish Data Protection Commissioner in May 2016. The origin of the case stems from a reformulated complaint Max Schrems filed against Facebook Ireland following the strike-down of Safe Harbour.
The Privacy Shield, like Safe Harbor before it, concerns only transfers to the United States, and the Irish court case also specifically addressed the viability of model contracts for transfers to the United States. Nonetheless, if the CJEU were to invalidate model contracts, this could in principle disrupt transfers of personal information from the EU to any country whose data protection regime has not yet been deemed ‘adequate’. This could of course put a brake on significant amounts of international trade, investment and business. Furthermore, if the CJEU outcome were negative only with respect to the United States, there would come a point where discrimination and denial of ‘national treatment’ would become a trade issue for the EU and the United States. This could be a problem for the EU, since the checks and balances that each Member State imposes on its own government’s surveillance for national security and law enforcement purposes may not be equivalent to the safeguards imposed by the United States.
In 2017, the EU has also focused intensely on itself. The new General Data Protection Regulation (GDPR), which will enter into effect in May 2018, has captured the fevered attention of businesses inside and outside Europe because of its potential for imposing very significant penalties. Violations could result in payments of €20 million or 4 per cent of global turnover, whichever is higher. Moreover, the GDPR will apply not only to companies established in the EU, but also to those processing data about Europeans if they offer services in the EU or monitor the online activities of individuals located there. It remains to be seen whether the EU and its Member States will develop procedural rules and fairness standards to ensure that companies accused of violating the GDPR receive due process, as well as an effective ‘consistency’ mechanism under the new European Data Protection Board. Another question is whether the EU will avoid disproportionately targeting US companies for major penalties or investigations.
The GDPR imposes heightened obligations on companies to obtain consent from the individuals about whom they collect data, and citizens will have powerful rights to object to online profiling, which will have to be advertised in a highly visible manner, and to receive some explanation about significant decisions that affect them that were based on algorithms or automated processes. The consent of parents will also be required for processing information about children under 16, unless individual EU Member States lower the age of consent (but not younger than 13). In general, controllers in the EU will need to focus more intensely on the grounds justifying their collection and processing of data to the extent that they do not have or cannot obtain consent. The scope of ‘legitimate interests’ of the controller will be a hotly debated topic in the EU for years.
EU residents will also have greater rights to ‘data portability’, which will require companies to collaborate on interoperability. Significantly, this portability right will not generally apply to data inferred or derived by the controller, but rather, to data “provided by the subject”. Companies will be obligated to undertake privacy impact assessments where they process high-risk data; for example, profiling based on sensitive data such as health information. Where the risk of processing cannot be mitigated by privacy-enhancing measures, the company may need to consult with the relevant data protection authority (DPA). Companies will also need to consider appointing data protection officers (DPOs) for their EU operations, or document why they have concluded that no DPO is necessary. DPOs must be accessible in the EU but are not required to be physically resident there.
The GDPR will also bring mandatory data breach notification to the EU, which will now require DPAs to be notified within 72 hours of a breach, if feasible. Affected individuals must be notified if the breach is likely to result in high risk to them.
The EU is also considering a new ePrivacy Regulation for implementation in 2018 (possibly contemporaneous with the effective date of the GDPR), which will apply to an expanded array of communication services. The EU’s network security directive also goes into effect for Member States in 2018.
In the United States, major data breaches continue to prompt significant litigation, financial settlements and enforcement actions by the Federal Trade Commission (FTC) and state attorneys general. The FTC has also brought significant privacy cases, such as a US$2.2 million settlement negotiated with a TV manufacturer alleged to have been collecting viewing data from users of its televisions without their knowledge. In 2017, the United States appeared to continue to lead the world in privacy enforcement and litigation.
In a case where a tech company announced in 2016 that it experienced breaches affecting 1 billion and 500 million users in 2013 and 2014 respectively, the board of directors conducted an independent investigation that was viewed by many in the legal community as establishing new expectations for the responsibility of general counsels and senior executives to investigate, analyse and escalate data security events.
On the policy front, the US Congress invoked its power to review major regulations by voting to rescind the privacy regulations imposed on internet service providers (ISPs) – but only ISPs – by the Federal Communications Commission (FCC). President Trump signed the law that invalidated the ISP privacy rules that had been issued by the FCC during the administration of President Obama.
China’s major new Cybersecurity Law entered into effect on 1 June 2017. It established a new legal system for protection against cyberthreats and imposed stricter requirements and penalties regarding the cross-border transfer of certain types of data from China. However, implementation provisions are still to be worked out. Data localisation requirements have been imposed on personal information in the banking sector and the country’s new Counter-Terrorism Law requires telecom and internet companies to cooperate more extensively with the government. Like the Cybersecurity Law, the Counter-Terrorism Law’s details and interpretation remain unclear.
In Russia, the 2014 data localisation law requiring primary data processing to be conducted in Russia has forced businesses to modify their practices to comply. Recent counter-terrorism laws have imposed added data retention and government-access burdens on internet businesses. Russia obtained an agreement from Twitter to transfer servers to Russia by the middle of 2018 and an enforcement action against LinkedIn proceeded even though that company had no physical presence in the country. The Russian court rejected LinkedIn’s argument on the grounds that the company was deliberately targeting Russian users in the Russian language.
In India, the country’s Supreme Court declared privacy to be a fundamental constitutional right. As in the EU and the United States, the right to privacy is not absolute, and the Court noted that the right is subject to reasonable restrictions. As in Europe, privacy is deemed to include a right to control data on the internet and the right to be forgotten.
In France, this year’s emphasis has been on the development of additional cybersecurity laws.
Regarding privacy enforcement, a €150,000 penalty was imposed on a social media company for combining data for targeted advertising and tracking allegedly without user knowledge or consent on third-party sites.
In Spain, use may not be made of online behavioural advertising and profiling in reliance on the EU’s ‘legitimate interest’ standard. Thus, express prior consent may be required.
The United Kingdom has stated its intention to adopt a law implementing the GDPR before Brexit occurs.
In Singapore, proposed changes to the country’s data protection act are pending and the passage of significant changes to Singapore’s legal requirements for cybersecurity are believed to be imminent.
Japan adopted major changes to its law in 2016 with a new Privacy Protection Act, which follows an EU model, including an adequacy requirement for transfers to other countries. The new Act implemented drastic changes that entered into force on 30 May 2017. The law also established a new independent enforcement agency.
In Korea, a new law was adopted requiring more conspicuous notice and consent regarding collection and use of personal information. The legislation responded to a court case invalidating consent where the disclosures were made in a font too small for informed consent. In 2017, Korea also became the 21st economy to join the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system.
Despite the government’s efforts, Nigerian hackers are estimated to have stolen US$3 billion worldwide. Privacy is a fundamental right under the country’s constitution and there is some government enforcement in the data protection arena.
In Australia, mandatory data breach reporting goes into effect as of 22 February 2018, with notification required for incidents posing serious harm to individuals.
Argentina is considering the creation of a new autonomous and independent enforcement agency outside the Ministry of Justice and Human Rights. This is believed to be necessary to retain the country’s status as adequate for EU purposes.
In Brazil, privacy is still only regulated in the context of internet use, but new data protection bills are pending. While a court denied a preliminary injunction to enjoin Google’s scanning of emails allegedly without user consent, the litigation remains unresolved.
Mexico enacted a new privacy legal framework on 27 January 2017. A new (or at least newly named) agency has been placed in charge of enforcing the country’s data protection law. The new agency is considered to be an autonomous entity.
Canada, like the EU, is extending its privacy regime extraterritorially. A court has held that the country’s federal privacy law, PIPEDA, applies to organisations that process data about Canadians even if the company is not present in Canada. Mandatory data breach notification is still under discussion but has not been adopted.
The above discussion highlights some of the more notable privacy and cybersecurity developments for 2017 covered in greater detail in the succeeding chapters. There was, of course, also further considerable activity throughout the rest of the world.
* * *
The year ahead is likely to bring increased attention to connected devices, autonomous vehicles, artificial intelligence, machine learning, big-data analytics and predictive algorithms. These novel areas hold serious implications for security (as in hacking cars or medical devices), as well as uncertain and abstract or ethereal impacts on personal autonomy, privacy and profiling. Data transfer disputes, data localisation trends, aggressive government demands for decryption and access to underlying software code and algorithms, election hacking and fake news will roil digital trade and even affect political stability. The intersection of cybersecurity, counter-terrorism, privacy and human rights remains fraught and subject to abuse, hypocrisy and checks and balances in different jurisdictions. The field of privacy, data protection and cybersecurity will thus continue to eschew equilibrium for the foreseeable future.
1 Alan Charles Raul is partner at Sidley Austin LLP.