A Soundtrack for Data Security

So much of the explosion in innovation in the music industry is around technological processes. But artists still need to focus on their art. To do so, they need to surround themselves with tech-savvy people. And hire a good lawyer.
– Gigi Johnson, Director of the Center for Music Innovation, University of California Los Angeles

Privacy policies are painful to read, not least because they’re very technical, boring, and long. According to a recent study, if the average person read every privacy policy for each website they visited in a given year, it would take approximately 244 hours, or 40 minutes each and every day. In spite of this, privacy policies have begun to attract mainstream attention.

In 2015, Spotify introduced a sweeping overhaul of its privacy policy that consumers called “creepy,” “eerie,” and “even worse than the National Security Agency.” Some of the controversial features included Spotify’s access to users’ contacts and photos, as well as GPS location and sensor data. Public backlash and negative media coverage soon led CEO Daniel Ek to apologise and promise to change key terms of the policy. And Spotify is not alone: WhatsApp, Facebook, Twitter, and even the game Angry Birds have all received criticism for draconian privacy policies.

Spotify may need to change its privacy policy yet again before May 2018, when existing data protection laws will be replaced by the new General Data Protection Regulations (GDPR). Notably, the GDPR updates the rules in respect of transferring data outside of the European Economic Area (the European Union, plus Iceland, Liechtenstein and Norway).

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
– The Eigth Principle of the GDPR

Data controllers and data processors (I refer to both as “companies” here) send data across international borders for a variety of reasons. For example, multinational companies might need to send information between offices in different countries. Companies may also exchange data with foreign customers or suppliers, or choose to use cloud services or servers located in jurisdictions with lower labour or maintenance costs.

In respect of international transfers of data, Spotify’s current privacy policy states (inter alia):

Spotify transfers, processes and stores information about our users on servers located in a number of countries. Your personal information may therefore be subject to privacy laws that are different from those in your country of residence. Information collected within the EEA and Switzerland may be transferred to and processed by third parties located in a country outside of the EEA and Switzerland, where you may have fewer legal rights in relation to your information.

The GDPR does not radically change existing data laws, but its introduces new accountability and transparency obligations for companies that manage personal data. To escape these new regulations, such companies may be tempted to simply move data outside of the EEA, and then store or handle the data in countries with fewer legal obligations. However, to ensure that Europeans benefit from data protection worldwide, the GDPR actually restricts how data collected in Europe can be transfered to non-EEA countries.

Passport required? How will companies transfer personal data outside of the EU from MAy 2018? (photo @tuulavintage)

Some non-EEA countries are pre-approved destinations for European data, because the EU Commission considers their data laws to be “adequate” (Article 45). These countries include Canada, Switzerland, Argentina, Israel, and – under the “Privacy Shield” – the United States. But to transfer data to a non-approved country, a company must provide certain safeguards, and ensure that individuals whose data are being processed (“data subjects”) have enforceable rights and legal remedies (Article 46).

One straightforward way for a company to have these safeguards in place is to use standardised contractual clauses approved by the Commission, known as “Model Clauses” and “Binding Corporate Rules.” The GDPR also provides some exemptions from these restrictions, including instances where a data subject gives informed and explicit consent to a transfer. To obtain this consent, a company’s website would likely use a “click here to approve” notification which clearly explains the risks and protections involved in such a transfer.

My guess is that Spotify and other similar platforms will incorporate Model Clauses or Binding Corporate Rules. The GDPR will obviously impact companies differently, depending on the extent to which they engage in cross-border transfers, and the reasons they do so. In any event, I’m sure the lawyers already have their red pens (and headphones) at the ready.

I’ve written previously about GDPR implications for digital media platforms.