The Free Internet Project

data privacy

Schrems II: EU Court of Justice strikes down US-EU "Privacy Shield," which allowed businesses to transfer data despite lower privacy protections in US

 On July 16, 2020, the European Union’s top court, the Court of Justice, struck down the trans-Atlantic data privacy transfer pact in a case called Schrems II. The agreement bewteen the US and EU known as the Privacy Shield, allows businesses to transfer data between the United States and European Union, even though U.S. privacy laws do not meet the higher level of data protection of EU law. Data transfer is essential for businesses that rely on the pact to operate their businesses across the Atlantic. For example, multi-national corporations routlinely obtain shipping consumer data from the EU for further use in the US. The Court of Justice ruled that the transfer of data leaves European citizens exposed to US government surveillance and did not comply with EU data privacy law. The Court explained: "although not requiring a third country to ensure a level of protection identical to that guaranteed in the EU legal order, the term ‘adequate level of protection’ must, as confirmed by recital 104 of that regulation, be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter."

Companies in the U.S. can work out privacy protections by contract, but such contracts also must comply with EU privacy standards. The Court explained: "the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation."

Ars Technica explains the origins of Privacy Shield and the troubles that have long existed with the agreement. Prior to Privacy Shield being adopted, the agreement governing the sharing of consumer data across the Atlantic was called the Safe Harbor. In 2015, the Safe Harbor was invalidated after being challenged by Maximillian Schrems, an Austrian privacy advocate, because it conflicted with EU law. After the Safe Harbor was struck down by the Court of Justice, EU lawmakers and the US Department of Commerce negotiated the Privacy Shield, which went effect in 2016. But many in the EU questioned its validity and lawfulness.

In Schrems II, the Court of Justice agreed. According to Axios, Schrems complained that the clause in Facebook's data contract was insufficient to protect Europeans from US government surveillance. The Court agreed, ruling that once the data entered the US, it was impossible to adequately ensure the protection of the data.  European citizens would have no redress in the US for violations of the EU standards of privacy. The Privacy Shield did not provide equivalent privacy protection. 

So what happens next? EU and the US officials must negotiate a new data sharing agreement between the EU and the US that can be equivalent to the level of privacy protection in the EU. Tech companies like Google and Facebook have issued assurances that this decision will not affect their operations in Europe because the companies have alternative data-transfer contracts, according to Ars Technica. It remains to be seen whether a new transatlantic data sharing agreement can be reached in a way that comports with EU privacy law.

-written by Bisola Oni

Tik Tok is all the rage, so why did India ban it?

Tiktok is a social medial platform owned by a Chinese firm named Bytedance. The app was first developed in China, but is growing more and more popular especially among teens all over the world for its combination of music, dance and peculiar humor through creating and sharing short videos. Another popular feature is live-streaming, which grants real-time interation between the host and the audience. Users do not even need to speak English to become an overnight hit with millions of followers on Tiktok. 

Tiktok has become phenomenal. The idea of producing short clips is not new – Snapchat and Instagram had similar functions too. And creating videos has been around since YouTube. But, with an enormous user base in China, this new contender surpassed other video-sharing sites and gained incredible popularity. Presently, Tiktok has over 500 million active users worldwide. Tiktok's worldwide success as an Internet platform is rare for a Chinese-based company. China’s strict internet restriction is well-known. By putting up firewalls, mainstream Western social media sites, such as Facebook and Twitter, are inaccessible in China. 

India announced the controversial decision to ban TikTok in its borders. Why? As the border clash between China and India escalated, the Indian government recently banned 59 Chinese apps, including Tiktok, citing concerns over activities prejudicial to the sovereignty and integrity of India, according to the New York Times.  Alternative Indian native platforms such as Glance and Roposo are eager to seek new users after Tiktok’s leave, but watchdog groups are concerned that Indian local apps may also be censored and controlled by the government or exploited for political propaganda. While banning Tiktok could also be a token of revenge against China for the border skirmish, the ban could also be viewed as India’s determination in safeguarding its citizens’ data from foreign manipulation.

Taking the cue from India’s decision, the US is considering a ban on Tiktok too. US Secretary of State Mike Pompeo warned the Americans not using the app unless “you want your private information in the hands of the Chinese Communist Party,” indicating the app is secretly sponsoring users’ data to the Chinese government.  

Having a reputation of exercising a tight grip over the internet environment, the Chinese government is frequently accused of privacy breaches. Bytedance, the Chinese firm that owns Tiktok, encountered several challenges as it expanded market worldwide. In February 2020, Bytedance was fined £4.2million by the US Federal Trade Commission for illegally collecting personal information from children under 13 without requiring parent consent. On July 3, 2020, the head of the UK’s Information Commissioner’s Office announced that Tiktok was undergoing a similar investigation regarding protections of children’s personal data as its open message system permit adults to directly contact children and thus subject children to risks such as online solicitations and harassments.

Of course, data breaches in social media are not uncommon in the modern digital age. Facebook was accused multiple times for harvesting users’ private information without their consent. Thus, banning Tiktok in the name of privacy protection sounds extreme since other breaches of data by social media have not resulted in banning an entire platform in a country. 

Some users have expressed a suspicion that the major impetus for the US ban on Tiktok was the significant role that Tiktok played during the BlackLivesMatter rally. In the pandemic era, Tiktok fostered new political expressions. For example, activists who could not march on the street in person, created videos with hashtag #blacklivesmatter to demonstrate cyber solidarity for racial injustice. As CNN reported, users on Tiktok also live-streamed the street protest, documented police assaulting peaceful demonstrators.  Tiktok lowered the barrier of communication, allowing users from all over the globe to share content and exchange ideas. Apart from showing cute dogs, teenagers’ funny dance steps, and other mundane occurrences, Tiktok also entered the political sphere even there is a lack of a number of politicians being active on the site. Despite the alleged privacy and national security concerns, it is one of the fastest and most unfiltered ways for people to spread messages.

“Any kind of public policy response which is premised on grounds of national security needs to emerge from well-defined criteria, which seems to be absent here,” executive director of the Internet Freedom Foundation Mr. Gupta said to the New York Times. Banning may be a quick fix, but if authorities could ban an app in the name of protecting citizens’ data without showing clear evidence supporting the alleged claim or legal authority for such an extreme action, it sets a dangerous precedent that would greatly impair internet freedom. Of course, there remains the tension that popular Western based social media platforms are still banned in China. 

-written by Candice Wang

 

 

 

The EU's GDPR (General Data Protection Regulation) goes into effect May 25, 2018

The new EU General Data Protection Regulation goes into effect May 25th, 2018.  You may have recently received notices of changes to privacy policies by Google, Twitter, and other tech companies.  The reason: the GDPR.  It attempts to create uniform rules for how personal data is managed in EU countries. The European continent’s first piece of legislation pertaining to the protection of personal data was the “Convention 108”, adopted in 1981 by the Council of Europe (a different international institution that the EU which brings together 47 countries). Later, in 1995, the European Union passed its directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”.  Unlike the 1995 personal data directive, which must be implemented by EU countries in their nationals laws, the new GDPR is EU law that applies without reliance on national implementing laws.  The GDPR is also broader than the personal data directive.  The key changes are discussed below.  

 

 

OVERVIEW OF KEY CHANGES BY GDPR

 

1. Extensive territorial scope: controllers of data with no establishment in the EU can still be subject to the Regulation for processing related to the offering of goods and services in the EU, or to the monitoring of the behavior of data subjects located in the EU.

  • No longer matters whether controllers actually process data within the EU.
  • If an EU citizen's data is processed, the controller is subject to the GDPR.  

2. Enhanced rights of data subjects:

  • New right to ‘data portability’: in certain situations, controllers will be bound to transmit personal data to new controllers, on the request of data subjects who may wish to switch from on service to another;
  • Upgraded rights to erasure (‘right to be forgotten’) and to restriction of processing;
  • Substantial increase of the number of information items which must be provided to data subjects, including in particular the retention period of the collected data;
  • More stringent conditions for a valid consent (where required): it will have to be freely given, specific, informed and unambiguous, by statement or by affirmative action.

3. Redesigned obligations for controllers and processors:

  • Auto-compliance and accountability: controllers and processors must ensure and be able to demonstrate that they have implemented any technical and organizational measures in order to ensure that the processing carried out comply with the Regulation. Such demonstration may be helped through adhesion to codes of conducts, or through certifications;
  • The end of prior notifications: the obligation to notify the competent supervising authority prior to each processing is replaced by an obligation to keep detailed records of processing activities;
  • Data by design and by default: controllers and processors will be expressly bound to respect these principles which is viewed as an effective means for compliance;
  • Specific measures to be implemented in certain situations: (i) appointment of a data protection officer; (ii) privacy impact assessments; and (iii) notification of data breaches to supervising authorities and to concerned data subjects;
  • Other new obligations related in particular to the (i) joint controller regime (the breakdown of the different responsibilities will have to be determined); and to (ii) the choice of data processors and to the contracts between controllers and processors.

4. Reinforcement and clarification of the supervising authorities’ roles and powers:

  • Administrative fines up to 20 million Euros or 4% of the worldwide annual turnover of the preceding financial year;
  • For cross-border processing, a lead authority will handle issues in accordance to a new co-operation procedure between it and other concerned supervising authorities (which will remain competent alone in certain situations);
  • Supervisory authorities will have to offer each other mutual assistance, and may conduct joint operations when necessary;
  • A new entity, the “European Data Protection Board”, will replace the Article 29 Working Party and will be in charge of providing opinions to supervising authorities on certain matters, of ensuring consistent application of the Regulation (by supervising authorities) in particular through a dispute resolution mechanisms, of issuing guidelines, of encouraging the drawing-up of codes of conducts etc.

Blog Search

Blog Archive

Categories