Tag: data protection

data protection

Have European laws improved American privacy protections?

by Kelsey FarishLeave a Comment on Have European laws improved American privacy protections?
Have European laws improved American privacy protections?

The European Union’s landmark data privacy law, the General Data Protection Regulation (GDPR) went into effect one year ago this week. By now, the implications for European residents and companies are fairly well known. Many of us will have received updated privacy policies in our email inboxes, or become increasingly aware of headline-grabbing stories on mass data breaches. But what about beyond the borders of Europe? Has GDPR changed the way in which data protection and privacy matters are viewed in the United States? 

The first thing to consider is whether GDPR has the power to influence how American companies handle data. The answer is yes. The GDPR is a single legal framework that applies across all 28 EU member states – including, for the time being, the United Kingdom. But in a considerable departure from the old Data Protection Directive (95/46/EC), the GDPR imposes an expanded territorial scope beyond the EU itself. No matter where they are located around the world, companies must comply with the GDPR if they either offer goods or services to European residents, or monitor their behavior (see, inter alia, Recital 22).

These new regulations are not without teeth. Whereas fines under the previous directive generally maxed out at £500,000, fines under GDPR can reach up to 20 million euros or 4% of a breaching company’s global turnover. Accordingly, from 25 May 2018, many American companies became subject to European privacy laws for the first time, and faced considerably enhanced sanctions for noncompliance.

As a result, in the lead-up to GDPR taking effect, many Europeans were geo-blocked from accessing American websites. The reason? If European customers were blocked from accessing the websites, the companies would not technically be “offering their goods or services” to Europeans, nor would they be “monitoring their behavior”.

Although the majority of companies retreating from Europe were small to medium-sized technology companies, others included global names such as the Los Angeles Times (US small businesses drop EU customers over new data rule, Financial Times).

dims.jpg

The other approach taken by US companies was to move data centres and servers from Europe to the United States. Facebook made headlines by shifting data concerning more than 1.5 billion users from Ireland to its main offices in California. Although Facebook told Reuters that it applies “the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc [California] or Facebook Ireland,” representatives from the social media giant noted that “EU law requires specific language” in mandated privacy notices, whereas American law does not.

Has the GDPR made Europe “too chilled” for American tech companies? It is important to note that users impacted by Facebook’s server relocation mentioned above were non-EU users. Furthermore, the data migration does not release Facebook from its obligation to comply with the GDPR, insofar as European users are concerned. Nevertheless, the relocation underscores the point that the United States is often seen as a more friendly home for companies seeking fewer, less stringent privacy regulations.

Several companies which initially fled the long-armed reach of the GDPR have returned to Europe, albeit with significantly changed privacy notices and data protection practices. However, many have stayed away. Some privacy advocates will hail the departure of American tech companies who are unwilling to comply with the new privacy rules. But while it is true that privacy protection is an important and fundamental human right, it cannot be ignored that an increasing body of evidence suggests the GDPR has had a chilling effect on a wide variety of overseas companies.

According to a recent study by the Illinois Institute of Technology and the National Bureau of Economic Research, there has been an 18% decrease in the number of EU venture deals and a 40% decrease in the dollar amount per deal following GDPR implementation (The Short-Run Effects of GDPR on Technology Venture Investment).

Together with increased European regulations of the digital economy on the whole, it is arguable that lawmakers in Brussels are making it more difficult for American companies to enter the European market. Even for those that decided to remain in the EU despite the enhanced regulations, their future remains uncertain.

Will the GDPR inspire privacy laws in the United States? Given that US companies – even those located in America – must now play by European privacy rules in order to reach the EU market, it is arguable that various technology and media entities will start to impose tougher privacy standards on themselves. Such self-regulation is likely to be welcomed by technology professionals and corporate insiders, who may consider themselves better positioned than regulators and lawmakers to tackle the problems of privacy in a digital age. However, as we have seen in sectors ranging from pharmaceuticals to finance, self-regulation often falls short when it comes to consumer protection.

 

zb
In April 2018, Facebook founder Mark Zuckerberg was called before the US Senate to answer questions over Facebook’s responsibility to safeguard user privacy and the Cambridge Analytica scandal.

For a variety of reasons which fall beyond the scope of this post, the privacy laws of the United States have developed in an ad hoc fashion. Apart from the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPPA), few national laws exist to protect data privacy.

Instead, in the United States, companies are caught under different laws depending on which State they are headquartered in, or where they do business. Any applicable federal laws which touch on data privacy are most often to regulate specific industry sectors, such as health insurance mentioned above. Even in the wake of the Equifax data breach of summer 2017 – which affected over 145 million US consumers – attempts to improve consumer privacy protections have failed to pass in Congress.

Despite the lack of federal legislation, some American states are using their powers to pass laws at a more local level. One such state is California, which happens to boast both the world’s fifth largest economy, as well as one of the most impressive technology industries. Last year, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law.

While at only 12 pages the law is a far cry from the obviously more comprehensive GDPR, it does grant California consumers specific rights over their personal information held by companies. Perhaps most interestingly, because the CCPA applies to any company which does business with California residents, the law will likely have a major impact on the privacy landscape across the country.

This begs the question: if the United States is in need of enhanced privacy protections, who should spearhead the endeavour? The US federal government via Congress, state legislators, or companies themselves? Some believe consumers will be better protected if Congress resists the temptation to intrude at federal level, to allow the states to experiment with their own legislation.

As we have seen in Europe, it is abundantly clear that any single privacy framework must be both flexible, as well as scalable, across a variety of industry sectors, geographies, and company types. To add to the political complexity, powerful industry players will likely lobby for special exceptions, and various federal agencies may clash over who will enforce any such regulation(s).

In conclusion, it is safe to say that the GDPR has indeed changed the way in which data protection and privacy matters are viewed outside of Europe. But the direction with which the Americans will choose to take it remains unclear.

On the one hand, some American companies have retreated from the EU. On the other, local governments have begun to take consumer privacy more seriously, by introducing new domestic data protection legislation. To find a balance between the two forces of economic enterprise and regulatory powers may be difficult. More likely, there may be a push and pull effect; whether privacy will prevail is yet to be seen.

data protection

Privacy Day 2019

by Kelsey FarishLeave a Comment on Privacy Day 2019
Privacy Day 2019

In 2006 the Council of Europe officially recognised 28 January as a data privacy holiday, to celebrate the date The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed in 1981. Also known as Convention 108, this document remains the only international treaty in the field of personal data protection.

In honour of this year’s Privacy Day – also called Data Protection Day – here are a few excerpts from some of my favourite English and American legal cases about privacy.

Image result for entick v carrington

In 1762, the King George IV’s Chief Messenger Nathan Carrington and others broke into the home of the writer John Entick. Over the course of four hours, the messengers broke open locks and doors and searched all of the rooms, before taking away charts and pamphlets, and causing £2,000 of damage. The King’s messengers were acting on the orders of Lord Halifax, the newly appointed Secretary of State: Entick later sued Carrington for trespassing on his land. In his judgment in favour of Entick, Chief Justice of the Common Pleas Lord Camden wrote:

Has a Secretary of State a right to see all a man’s private letters of correspondence, family concerns, trade and business? This would be monstrous indeed; and if it were lawful, no man could endure to live in this country.

Today, Entick v Carrington is considered to have deeply influenced the establishment of individual civil liberties, and limiting the scope of executive power. It also served as an important motivation for the Fourth Amendment to the United States Constitution, which guarantees protections to Americans against certain searches and seizures. 

Image result for queen victoria sketches

Prince Albert v Strange was an 1849 court decision which began the development of confidence law, the common law tort that protects private information. By way of background, both Queen Victoria and Prince Albert sketched as a hobby. John Strange obtained some of these sketches after they had been stolen from Windsor Palace, and published a catalog showing them. Prince Albert filed suit for the return of the sketches, and a surrender of the catalog for destruction. The Lord Chancellor Lord Cottenham granted Prince Albert’s plea, and explained in his judgment that:

The Court of Chancery will protect everyone in the free and innocent use of his own property, and will prevent other parties from interfering with the use of that property, so as to injure the owner. It is certain every man has a right to keep his own sentiments if he pleases. He has certainly a right to judge whether he will make them public, or commit them only to the sight of his friends. Privacy is a part, and an essential part, of this species of property.

 

Image result for Eisenstadt v Baird

In 1967, William Baird was charged with a felony for handing a condom to an unmarried woman who had attended one of his lectures on birth control at Boston University. Under Massachusetts law on “Crimes against chastity”, contraceptives could only be distributed by registered doctors or pharmacists, and only to married persons. The Supreme Court of the United States overturned the law in the 1972 case Eisenstadt v. Baird, and the majority opinion was written by Justice Brennan, who famously wrote:

If the right of privacy means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion into matters so fundamentally affecting a person as the decision whether to bear or beget a child.

In 1982, the state of Pennsylvania enacted legislation that placed a number of restrictions on abortion. In the resulting 1986 case Thornburgh v. American College of Obstetricians and Gynecologists, the Supreme Court overturned the Pennsylvania law, holding (amongst other things) that the “informed consent” and printed materials provisions of the law unduly intruded upon the privacy of patients and physicians. Justice Brennan penned the opinion, noting:

Our cases long have recognized that the Constitution embodies a promise that a certain private sphere of individual liberty will be kept largely beyond the reach of government. Few decisions are more personal and intimate, more properly private, or more basic to individual dignity and autonomy, than a woman’s decision whether to end her pregnancy. A woman’s right to make that choice freely is fundamental. Any other result, in our view, would protect inadequately a central part of the sphere of liberty that our law guarantees equally to all. 

Image result for naomi campbell magazine 1994

In 2001, British supermodel Naomi Campbell was photographed leaving a drug rehabilitation clinic, despite having previously denied that she was a recovering drug addict. After the photographs were published in the tabloid The Mirror, Campbell sued for damages in Naomi Campbell v Mirror Group Newspapers. The House of Lords held the paper liable, and Law Lord Nicholls stated:

The importance of freedom of expression has been stressed often and eloquently, the importance of privacy less so. But it, too, lies at the heart of liberty in a modern state. A proper degree of privacy is essential for the well-being and development of an individual. And restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.

In the 2011 case of Federal Aviation Administration v. Cooper, the Supreme Court considered if the United States Privacy Act of 1974 covers mental and emotional distress caused by privacy invasion. The Court held that the Privacy Act’s “actual damages” provision only allowed Cooper to recover for proven pecuniary or economic harm. Justice Sonia Sotomayor wrote the dissent, joined by Justices Ruth Bader Ginsburg and Stephen Breyer. Perhaps unsurprisingly, I personally agree with Justice Sotomayor’s dissent, which noted:

Nowhere in the Privacy Act does Congress so much as hint that it views a $5 hit to the pocketbook as more worthy of remedy than debilitating mental distress, and the contrary assumption [in this case] discounts the gravity of emotional harm caused by an invasion of the personal integrity that privacy protects.

Of course, the cases above provide only a small glimmer of insight into the weird and wonderful world of privacy law. On international Privacy Day in particular, it’s important to remember that the legislation and court cases which shape our understanding of privacy and protection from intrusion go far beyond the modern notion of cyber security.

The right to privacy is a human right!

Related image

data protection

Facebook and Privacy: cases, reports and actions in Europe

by Kelsey FarishLeave a Comment on Facebook and Privacy: cases, reports and actions in Europe
Facebook and Privacy: cases, reports and actions in Europe

A list of European enforcement action, official legislative (Parliamentary) reports, and cases concerning Facebook with respect to data protection and privacy. This is a work in progress, last updated November 2018.

Data Protection Commissioner (Ireland) v Facebook Ireland Limited, Maximillian Schrems [Case C-311/18]

  • Jurisdiction: European Union, Ireland
  • Status: Case still in progress
  • Authority:  Court of Justice of the European Union
  • Keywords: EU Data Protection Directive (95/46/EC); EU/US Privacy Shield; Fundamental Rights

Continue reading “Facebook and Privacy: cases, reports and actions in Europe”

data protection

Transatlantic Data Transfers: US-EU Privacy Shield under review

by Kelsey FarishLeave a Comment on Transatlantic Data Transfers: US-EU Privacy Shield under review

When personal data travels between Europe and America, it must cross international borders lawfully. If certain conditions are met, companies can rely on the US-EU Privacy Shield, which functions as a sort of “tourist visa” for data. 

Earlier this week (19 November) the United States Federal Trade Commission finalised settlements with four companies that the agency accused of falsely claiming to be certified under the US-EU Privacy Shield framework. This news closely follows the highly anticipated second annual joint review of the controversial data transfer mechanism. 

IDmission LLC, mResource LLC, SmartStart Employment Screening Inc., and VenPath Inc. were slapped on the wrist by the FTC over allegations that they misrepresented their certification. But this is just the latest saga in an on-going debate regarding the Privacy Shield’s fitness for purpose. Only this summer, the European Parliament urged the European Commission to suspend the Privacy Shield programme over security and privacy concerns.

flying airplane

Background and purpose

Designed by the United States Department of Commerce and the European Commission, the Privacy Shield is one of several mechanisms in which personal data can be sent and shared between entities in the EU and the United States. The Privacy Shield framework thereby protects the fundamental digital rights of individuals who are in European Union, whilst encouraging transatlantic commerce.

This is particularly important given that the United States has no single, comprehensive law regulating the collection, use and security of personal data. Rather, the US uses a patchwork system of federal and state laws, together with industry best practice. At present, the United States as a collective jurisdiction fails to meet the data protection requirements established by EU lawmakers.

As such, should a corporate entity or organisations wish to receive European personal data, it must bring itself in line with EU regulatory standards, known as being “protected under” the Privacy Shield. To qualify, companies must self-certify annually that they meet the requirements set out by EU law. This includes taking measures such as displaying privacy policy on their website, replying promptly to any complaints, providing transparency about how personal data is used, and ensuring stronger protection of personal data.

Today, more than 3,000 American organisations are authorised to receive European data, including Facebook, Google, Microsoft, Twitter, Amazon, Boeing, and Starbucks. A full list of Privacy Shield participants can be found on the privacyshield.gov website.

Complaints and non-compliance?

There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.

—Gordon Sondland, American ambassador to the EU

Although the Privacy Shield imposes stronger obligations than its ancestor, the now-obsolete “Safe Harbor,” European lawmakers have argued that “the arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice.”

In its motion to reconsider the adequacy of the Privacy Shield, the EU Parliament stated that “unless the US is fully compliant by 1 September 2018” the EU Commission would be called upon to “suspend the Privacy Shield until the US authorities comply with its terms.” The American ambassador to the EU, Gordon Sondland, responded to the criticisms, explaining: “There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.”

Věra Jourová, a Czech politician and lawyer who serves as the European Commissioner for Justice, Consumers and Gender Equality, expressed a different view: “We have a list of things which needs to be done on the American side” regarding the upcoming review of the international data transfer deal. “And when we see them done, we can say we can continue.”

Photo: Ambassador Sondland with Commissioner Jourova in the Berlaymont.
Jourová and Sondland, via a tweet from Sondland saying he was “looking forward to our close cooperation on privacy and consumer rights issues that are important to citizens on both sides of the Atlantic.” 

The list from the Parliament and the First Annual Joint Review [WP29/255] (.pdf) concerns institutional, commercial, and national security aspects of data privacy, including:

  • American surveillance powers and use of personal data for national security purposes and mass surveillance. In particular, the EU is unhappy with America’s re-authorisation of section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorises government collection of foreign intelligence from non-Americans located outside the United States (Remember Edward Snowden and PRISM? See the Electronic Fronteir Foundation’s explanation here)
  • Lack of auditing or other forms of effective regulatory oversight to ensure whether certified companies actually comply with the Privacy Shield provisions
  • Lack of guidance and information made available for companies
  • Facebook and the Cambridge Analytica scandal, given that 2.7 million EU citizens were among those whose data was improperly used. The EU Parliament stated it is “seriously concerned about the change in the terms of service” for Facebook
  • Persisting weaknesses regarding the respect of fundamental rights of European data subjects, including lack of effective remedies in US law for EU citizens whose personal data is transferred to the United States
  • The Clarifying Overseas Use of Data (“CLOUD”) Act signed into law in March 2018 allows US law enforcement authorities to compel production of communications data, even if they are stored outside the United States
  • Uncertain outcomes regarding pending litigation currently before European courts, including Schrems II and La Quadrature du Net and Others v Commission.

 

Image result for max schrems
Max Schrems is an Austrian lawyer and privacy activist. In 2011 (at the age of 25) while studying abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook’s lack of awareness of European privacy law. His activism led to the replacement of the Safe Harbor system by the Privacy Shield.

What happens if the Privacy Shield is suspended?

In a joint press release last month, the representatives from the EU and USA together reaffirmed “the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy.” But that may be easier said than done.

In the event that the Privacy Shield is suspended, entities transferring European personal data to the United States will need to consider implementing alternative compliant transfer mechanisms, which could include the use of Binding Corporate Rules, Model Clauses, or establishing European subsidiaries. To ensure that the American data importer implements an efficient and compliant arrangement, such alternatives would need to be assessed on a case-by-case basis involving careful review of data flows, and the controller and processors involved.

Regardless of the method used to transfer data, American companies must ensure that they receive, store, or otherwise use European personal data only where lawfully permitted to do so. The joint statement noted above concluded by saying that the “U.S. and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters.”

The European Commission is currently analysing information gathered from its American counterparts, and will publish its conclusions in a report before the end of the year.

data protection, Uncategorized

Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

by Kelsey FarishLeave a Comment on Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism
Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

A former Oxford University student asked image agency Alamy to remove photographs of her celebrating the end of exams. Now, the photographer accuses Alamy of “censoring the news”.  Is this a threat to freedom of the press, or has the woman’s human right of privacy been correctly protected?

The end of exams are a liberating and happy time for university students around the world. At Oxford, students take their celebrations to another level by partying en masse in the streets, covering each other in champagne, shaving foam, confetti, flour and silly string in a tradition known as “Trashing.”

Screenshot 2018-10-14 at 9.37.21 AM
An Alamy photo of Oxford celebrations from 1968. “Trashing” has become a bit more crazy since the 1990’s.

Speaking to the Press Gazette, Photographer Greg Blatchford explained that during the 2014 Trashing, a student invited him to take photographs of her celebrating on the public streets. Some of the images show her swigging from a bottle of champagne, while in others she is covered in silly string.

Blatchford then sent “about 20” images to Alamy as news content. The former student subsequently stated that she “loved” the images in email correspondence to Blatchford, and even shared them on Facebook. This summer, four years later, the woman contacted Alamy to have the photos deleted. The company removed the images – much to Blatchford’s dismay.

Screenshot 2018-10-14 at 9.37.58 AM
An Alamy stock image of Oxford University Trashing celebrations. Note: THIS IS NOT ONE OF THE SUBJECT PHOTOGRAPHS.

The right to be forgotten under the GDPR

Because the woman was able to be identified from the photographs, they constitute “personal data” as defined by Article 4 of the General Data Protection Regulation (GDPR). Under Article 17 GDPR, data subjects have the right in certain circumstances to compel the erasure of personal data concerning him or her.

For example, if the data was originally collected or used because the individual gave their consent, and that consent is subsequently withdrawn, the company may honour the request for deletion (Article 17(1)(b)). However, a company can also use a “counter attack” if an exception applies. Importantly for news and media agencies, if keeping the data is necessary for exercising the right of freedom of expression and information, they may be able to refuse the request and keep the data (Article 17(3)(a)).

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know.

Are journalists under threat from privacy lawyers?

Blatchford explained that although they are now considered “stock images,” they were originally “news” photos and should not have been removed. By deleting the photos, Alamy “are censoring the news. I’m incensed that someone can influence news journalism and censor the past where clearly if photographs are taken in public, with the full consent of participants they can turn around and say ‘sorry, that’s not news’ later. This sets a precedent for anybody to walk up to a news organisation and say I don’t like the pictures of me. Journalists will then start feeling the threat of lawyers.”

In a statement to the Press Gazette, Alamy’s director of community Alan Capel said the images were submitted as news four years ago, but moved 48 hours later to the stock collection. “Therefore we are surprised that this is deemed to be ‘censoring the news.’ As per our contract with our contributors, we can remove any images from our collection if we see a valid reason to do so.”

The university said that participating in trashing can lead to fines and disciplinary action since it is against the university’s code of conduct
The comical images of students wearing sub fusc (formal academic attire) while partying are often published in newspapers around the country in May.

Privacy and press freedom have long been considered competing interests, but that’s not to say that striking an appropriate balance between the two is impossible.

On some level, I do sympathise with the photographer. I also struggle to buy Alamy’s argument that the images are not “news content” and are now “stock images.” The classification of an image should be based on its context, purpose and subject matter – not the time that has elapsed since the event, nor the label attributed to it on a website.

Stock images are, by definition, professional photographs of common places, landmarks, nature, events or people. By contrast, the Oxford Trashing photos are attributed to a specific time (May), place (Oxford), category of people (students), and event (celebrating the end of exams). They are popular for several reasons. Firstly, they illustrate a charming and comical juxtaposition. Although these students attend one of the oldest and most prestigious Universities in the world, they are – after all – entitled to a bit of fun. Secondly, Trashing has received increased press attention in recent years, as students have become subject to complaints fines, disciplinary action, and even police enforcement. These images clearly show, in ways that words alone cannot, matters of public interest.

Screenshot 2018-10-14 at 1.04.41 PM.png

In this particular instance however, I think Alamy have made the right decision in deleting the images.

Although the Press Gazette does not name the woman, it does note she is “a marketing director in New York.” It’s entirely plausible that she has valid concerns that the images of her participating in Trashing may negatively impact her reputation and career, or otherwise cause some sort of harm or embarrassment.

She claims that “there was no consent given to publish or sell my photos anywhere. I am not a model nor have given permission to any photographers to take photos of me to publicly display or to sell. This was a complete breach of privacy.” This contradicts what the email records show, but even if she had lawfully consented to the photographs being taken at the time, she is entirely within her rights to now withdraw consent. 

On balance, Alamy probably has dozens – if not hundreds – of images from the 2014 Trashing at Oxford. The likelihood that the images of this woman in particular are somehow especially newsworthy is minimal. Had Alamy refused to delete the photos, the woman would have been entitled to raise a complaint with the Information Commissioner’s Office. ICO enforcement action can include injunctions, sanctions, or monetary fines. Furthermore, Alamy would risk becoming known as an organisation that doesn’t care about privacy laws, thereby damaging its reputation.

Contrary to Blatchford’s concerns, it is doubtful that an organisation would delete a genuinely newsworthy image, simply because someone doesn’t like how they look. The right to be forgotten is not an absolute right to be purged from history, but a right to regain control of how information about you appears online.

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know. If you’re interested in how celebrities control images of themselves, see Fame and Fortune: How do Celebrities Protect Their Image?

Header image by Alex Krook via Flickr
data protection

Now you’re just somebody that I used to know

by Kelsey Farish2 Comments on Now you’re just somebody that I used to know
Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

data protection

The Six Principles of Data Protection: Facebook fails

by Kelsey FarishLeave a Comment on The Six Principles of Data Protection: Facebook fails
The Six Principles of Data Protection: Facebook fails

Facebook may believe that dubious data collection and security practices justify a more connected audience: the incoming General Data Protection Regulations say differently.

Once again, data privacy is in the headlines. But this time, it isn’t a credit agency or department store that has fallen short of consumer expectations: instead, it’s Facebook. Much credit is due to Carole Cadwalladr and her team at The Guardian, who first broke the the Cambridge Analytica story.

#DeleteFacebook was trending on Twitter for a while, and I myself was considering ditching my account – not least because I simply don’t use Facebook often. While I’ve decided against deletion, I was genuinely saddened – although, in retrospect, not surprised – to come across the leaked 2016 “Ugly Truth” Memo from a Facebook executive Andrew “Boz” Bosworth. You can see the Memo in full at Buzzfeed, but the part that hit me hardest reads as follows:

We connect people. Period.

That’s why all the work we do in growth is justified. All the questionable contact importing practices. All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it.

The natural state of the world is not connected. It is not unified. It is fragmented by borders, languages, and increasingly by different products. The best products don’t win. The ones everyone use win.

“Questionable contact importing practices”? By Bosworth’s own admission, “the ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is de facto good.”

The General Data Protection Regulations (GDPR) say differently. With less than two months to go until the implementation date of 25 May (!) I’ve set out a little refresher on the main responsibilities for organisations below.

Article 5 of the GDPR contains Six Principles of personal data collection and processing. The data controller (the company collecting or otherwise controlling the data) are responsible for, and must be able to demonstrate, compliance with these principles.

(A) Processed lawfully, fairly and in a transparent manner.
A company collecting data must make it clear as to why the data are being collected, and how the data will be used. The company must provide details surrounding the data processing when requested to do so by a person whose data is collected (the “data subject”). “Questionable practices” are likely neither fair nor transparent!

(B) Collected for specified, explicit and legitimate purposes.
Have you ever filled in a form, only to think, “why am I being asked this question?” This principle states that organisations should not collect any piece of personal data that doesn’t have a specific purpose, and a data subject must give explicit consent for each purpose. A lawful purpose could mean fulfilling a contract: for example, your address is required for shipping something you bought online.

(C) Adequate, relevant and limited to what is necessary.
Companies strive to understand customer buying behaviours and patterns based on intelligent analytics, but under this principle, only the minimum amount of data required may be stored. Asking for one scanned copy of a drivers’ licence may be adequate, but asking for a drivers’ licence, passport, and birth certificate might be more than necessary.

(D) Accurate and, where necessary, kept up to date.
Controllers must ensure personal data is accurate, valid and fit for purpose. Accordingly, data subjects have the right under Article 16 (Right of Rectification) to rectify any personal data held about themselves.

(E) Kept for no longer than is necessary.
This principle limits how data are stored and moved, and for how long. When data is no longer required, it should be deleted. This is closely related to the Right of Erasure (“Right to be Forgotten”) under Article 17, which I previously wrote about in respect of the Google case in England.

(F) Processed in a manner that ensures appropriate security.
This principle is perhaps what most people think about when they think of data protection. It means that IT systems and paper records must be secure, and the security must be proportionate to the risks and rights of individual data subjects. Negligence is no longer an excuse under GDPR!

In 2016, a Gallup study found that Millennials (those of us born between 1981 and 1996) are generally aware of potential data security risks, but less likely to be concerned about them. Prior to familiarising myself with these principles, I simply thought data protection was another phrase for “IT security”. I thought it was just about firewalls, encryption, and outsmarting hackers.

But in the months I’ve been helping clients to get ready for the GDPR, I’ve realised that compliance is about more than just having strong passwords: it really is a mindset. That’s what’s so disappointing about Facebook’s apparent attitude towards the end consumer, in which people are seen only as a series of clicks or “likes” which can be analysed, predicted, and manipulated – at any cost. My Facebook account may remain active, but I for one will certainly be less engaged.

Photo credit – Book Catalogue