The Privacy Shield framework for protecting personal information in transatlantic data flows faces an uphill battle,...
as it must now contend with changes to U.S. procedures that could give the FBI the ability to legally conduct bulk digital surveillance.
The U.S. policy change comes just weeks after Privacy Shield received less than enthusiastic reviews from a key European data privacy regulatory group, which poses real problems for enterprises contending with the still unproven framework.
The U.S. Supreme Court late last month approved a controversial change to Federal Rule of Criminal Procedure 41, or Rule 41, giving federal judges the authority to issue more sweeping search warrants for searching and collecting information from computers anywhere -- not just in judges' own jurisdictions.
The change to Rule 41 is seen as enabling bulk surveillance, and it could signal a rocky start to Privacy Shield. Prior to the change to Rule 41, Privacy Shield earned an ambivalent review from the Article 29 Working Party (A29WP), the EU regulatory body whose members represent the data protection authorities of all EU member states.
Government officials in Europe and the U.S. scrambled to formulate a successor to the old Safe Harbor framework, which was invalidated last October after the European Court of Justice (CJEU) ruled that the Safe Harbor framework failed to provide sufficient data privacy protection to EU citizens whose data was sent to the United States. Austrian privacy activist Max Schrems successfully argued the Safe Harbor framework, first set up in 2000, could not protect European user data from bulk surveillance programs conducted by U.S. intelligence and law enforcement agencies.
Rule 41 changes will expand government reach
The Department of Justice requested the change to Rule 41 of the Federal Rules of Criminal Procedure, the rule that specifies authority to issue warrants to remotely access computers. Previously, magistrate judges were able to issue warrants for searches of computer systems located within the judges' jurisdictions; the change approved by the Supreme Court at the end of April gives federal judges the right to issue warrants to remotely search computers physically located anywhere, not just within the jurisdiction of the court.
Under the updated Rule 41, warrants may be issued for any or all computers that have been involved in an investigation, regardless of location and who owns the computers. So, for example, systems that were subverted by criminals for use in a botnet could all be subject to "network investigative techniques" -- what the FBI calls it when they remotely hack computers.
Law enforcement agencies would be able to ask for, and receive, permission to gather information from any computers involved in an investigation -- whether they belong to the suspects or to innocent citizens whose systems were subverted -- in any location, including outside the U.S.
The changes will take effect Dec. 1, 2016, unless Congress rejects it -- and Sen. Ron Wyden (D-Ore.) has already vowed to introduce legislation to reverse the changes.
"Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime," Wyden said in a statement.
Could Rule 41 torpedo Privacy Shield?
Some technology executives expressed concern about Rule 41 and its effect on Privacy Shield and other data protection regulations. "The changes made to Rule 41 certainly don't help Privacy Shield's chances," said Yorgen Edholm, CEO of Accellion, based in Palo Alto, Calif. "In fact, they will only exacerbate concerns in the EU that the perceived overreach by U.S. intelligence and law enforcement agencies will continue. And this shouldn't surprise U.S. lawmakers. After all, the same led to the invalidation of Safe Harbor, and the delay in approving Privacy Shield stems from the fact that EU regulators aren't convinced the electronic monitoring will stop."
According to Deema Freij, global data privacy officer for Intralinks, the secure content and collaboration firm based in New York, "Any laws that will allow the U.S. to carry out mass surveillance or expand the jurisdiction of such surveillance will have an adverse effect on the progress of EU-U.S. Privacy Shield."
Yorgen EdholmCEO, Accellion
"While the changes to Rule 41 are intended to assist U.S.-based investigations, there is nothing stopping judges from applying the legislation globally now that jurisdiction is no longer an obstacle," Edholm said. "From that perspective, France, Italy and Germany are now as much within a New York judge's jurisdiction as are Oregon, California and Arizona."
"This can't sit well with the European regulators determining the fate of Privacy Shield, so I wouldn't be surprised if additional protections are requested to assure Rule 41 isn't abused internationally."
Article 29 Working Party concerns about Privacy Shield
The Article 29 Working Party offered its review of the EU-U.S. Privacy Shield framework earlier in April. The group's primary criticism of Privacy Shield was it provides inadequate privacy protections to EU citizens from the U.S. side due to the possibility of "indiscriminate and mass data collection" by U.S. intelligence agencies.
While they noted the Privacy Shield brings significant improvements over Safe Harbor, the A29WP stated it had "strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield."
As for access by public authorities to data transferred under the Privacy Shield, A29WP pointed out that the U.S. Office of the Director of National Intelligence had not provided enough details "to exclude massive and indiscriminate collection of personal data originating from the EU."
The group further noted its "longstanding position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights. The WP29 takes note that there is a tendency to collect ever more data on a massive and indiscriminate scale in the light of the fight against terrorism. Given the concerns this brings for the protection of the fundamental rights to privacy and data protection, the WP29 looks to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection."
Freij said the A29WP opinion is not binding on the EU Commission, which could "decide that it's [Privacy Shield] adequate and adopt it. And, in fact, some rumors have been going around that actually they will adopt it. They will try to allay some concerns of the Article 29 Working Party, but it looks like, more likely than not, that they will give it that adequacy approval in June."
Freij said if the EU Commission doesn't heed the concerns of the Article 29 Working Party, "I think that it will be litigated very, very quickly by privacy activists, and then we're going to end up in the same situation as we had with Safe Harbor, and [Privacy Shield] may be invalidated, so that's one risk."
Freij also pointed out for European companies dealing with data transfers on a daily basis, a lot of them "are no longer going to look at Privacy Shield as something that they can rely on, even if it is approved in June. I think a lot of clients of vendors that deal with data are not going to rely on that, and they'll want to basically have other legal mechanisms by which they rely on the transfer of personal data to the U.S."
Enterprise alternatives to Privacy Shield
For companies wishing to avoid problems with Privacy Shield, EU model clauses, also known as standard contractual clauses, can provide companies with "adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights," according to the European Court of Justice.
With these standard contracts, Freij said companies can create their own frameworks for transferring data pretty quickly. "It's non-negotiable," she said. "The only thing that companies would really dig into is the actual appendices, which is where you list the data that is being transferred, what type of data, why is it going to be processed and then also about the security measures."
Another alternative for large enterprise is to define binding corporate rules, which, according to the CJEU, allow a multinational group of companies to "define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection."
Freij cautions that using binding corporate rules is "more of a long-term project." She said setting them up can take 18 to 24 months or more. It's also different from the model clauses, as the binding corporate rules define a privacy framework for a company, as well as defining how multinational companies transfer personal data within their group.
"It's really a very long process," Freij said. "You have to make sure that there are policies in place, because this isn't a one-off contract where you look at a moment in time -- it's actually a living, breathing organism. How does your company deal with privacy, right from the start when you create that product, do you have privacy by design in mind? Who gets involved? Is there privacy officer? Who does the privacy officer rely on? Is there a network? How do you train your people? Are all people within the company trained on privacy? Can they recognize a privacy matter when they see it?
"It's definitely a legal mechanism," she said. "It's just that it takes a lot longer than having to put into place EU standard contractual clauses."
Learn more about what Bruce Schneier had to say about Internet surveillance.