Data Protection Needs a Global Approach

The recent global ransomware attack once more has shown the world how dependent we are on digital infrastructure and how vulnerable this infrastructure is to the outside world. Anywhere in the world viruses, malware, etc. can be developed from a computer and start a chain reaction so we must protect data from getting blocked, stolen or destroyed. Companies are starting to grapple with this reality by building up strategic plans and forming clear ideas of what the value is they might lose if they suffer from particular types of attack.

What is of equal or larger importance perhaps, as well as less tangible, is the problem of data privacy. There are no clear known metrics available that classify the loss of confidential data, whether of a political, economic or personal nature. We know that nonprofit institutions, companies and political institutions generally try hard, some more so than others, to make sure their data is protected from outside intervention. Personal users, however, despite activism in various forms, appear to have come to the realization that there is very little they can do to protect their data from being surveilled and used by third parties without their consent.

Much like people who do not have a built in evolutionary sense for the risks of cars on the road, we also appear not to have a very good sense of what data we put out there in public, such as when we are using social media. There is a plethora of problems that arise because people do not exercise a necessary level of prudence when using these means of digital communications. The EU Agency for Fundamental Rights (FRA) is launching a large survey to measure people’s attitudes on fundamental rights, including the right to privacy, which will hopefully give a clearer view of this sensibility. At the European level there will also be a large awareness raising campaign about digital rights in the upcoming year. This is because the issue is not necessarily a lost battle and appropriate value to private data still needs to be given by creating appropriate global institutional frameworks that adequately address these privacy issues. At the moment there is by no means a settled framework that protects all. Thus, there is a strong reason to raise awareness and create engagement on a larger scale.

As it stands one of the most important data flows on the global level takes place between the EU and the US and is currently regulated through the EU-US Privacy Shield (PS). After a previous defeat of insufficient protection against misuse of personal information (of the Safe Harbour Agreement) through the ‘Schrems case,’ the legal framework was revised to what it is now. Critics, including the FRA still question the legality of the PS, which is still being challenged in a variety of cases before the EU Court of Justice.

One of the criticisms is that the legal framework actually still appears to leave room open for mass surveillance and that US institutions offer no uniform definition of mass surveillance. The independence in the US institutional system of the Ombudsman is also put under question. Furthermore, only a few companies have signed up to the voluntary PS register, which places them outside the scope of liability under a number of corporate standards. Many parties also do not choose to designate a European party as the Data Protection Authority with whom to raise issues of concern, which may play to the disadvantage of European consumers. Then, there is a clear worry that the current rebalancing of competences between the US Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) will lead to legislation which will lead to the unbridled sale of user data related to broadband usage that can be traced back to personal users by means of advanced techniques. This will again put extra strain on the legality of the PS.

In six cases, bulk surveillance is still made legal and there is an apparent differential, i.e. not a clear equivalence in applicability between the EU and the US framework. Whereas there is a requirement under the EU system of ‘necessity and proportionality,’ the US criteria are to be ‘as tailored as possible’ and ‘reasonable.’ Although the PS has a degree of legal standing independent from the US President, there is also still considerable scope for executive orders to tilt the balance of privacy. The PS legal redress is not clear-cut and there is a general lack of any form of compensation in case of an unwarranted breach, as the required remedy is limited to erasing the respective data. Finally, retention policies and searches performed are found to have not always taken place in regular accordance with the law, even in more advanced European countries.

From the above it may thus be clear that the attempted balance between privacy and security at the institutional level and between the EU and the US is by no means perfect nor undebatable. Readers should thus be invited to think about these matters and form their own opinions. The picture is actually far from complete if one stops at only looking at the EU and the US. Data flows between the US and Canada on the one side, and Latin America, Asia Pacific on the other side are also significant and the regulatory framework there is non-existent at worst and patchy at best, let alone there not being proper institutions to enforce it. An attack and also any spying operation can be run from anywhere in the world. In fact if one reads relevant reports of Privacy International, one is led to believe that states which might be on your list of failed or fragile states, are in the possession of surveillance technology that can easily be used not only to spy on their own citizens and used for repressive purposes, but also for the disruption of external parties.

The above illustrates that there is a clear need to think about these matters not just within developed states and in places where the biggest volumes of interaction of data take place, but also in the remotest places in the world. There is the obvious need to create a balanced and global regulatory framework that creates openness and transparency, while safeguarding as low a compliance burden as possible and the provision of the necessary capacity and research into the attitudes of acceptability, implications of policy etc. Individuals and small companies in particular would do best to add an extra level of awareness to their current activities in the digital space. They can do this not only by taking precautionary protection measures, but also by cross-checking what information is shared in a more rigorous manner. Cybersecurity and data protection is a matter not just for governments but for citizens to act upon.