May 22, 2017
The recent global ransomware attack ones more showed the world how dependent we are on digital infrastructure and how vulnerable this infrastructure is to the outside world. Anywhere in the world viruses, malware, etc. can be developed from a computer and start a chain reaction. Good reason to protect data from getting blocked, stolen or destroyed. Companies are starting to grapple with this reality by building up strategic plans and forming clear ideas of what the value is they might lose if they suffer from particular types of attack.
What is of equal or bigger importance perhaps, as well as less tangible, is the problem of data privacy. There are no clear known metrics available that classify the loss of confidential data, weather of a political, economic or personal nature. We know the intuition, and companies and political institutions generally try hard, some harder than others to make sure their data is protected from outside intervention. Personal users however, despite activism in various forms, appear to have come to the realization that there is very little they can do to protect their data from being surveilled and used by third parties without their consent.
Much like people do not have a built in evolutionary sense for the risks of cars on the road, we also appear not to have a very good sense of what data we put out there in public, like when we are for using social media. The example of problems that arise because people do not exercise a necessary level of prudence when using these means of digital communications is plethora. The EU Agency for Fundamental Rights (FRA) will launch a large survey to measure people’s attitudes on fundamental rights, including the right to privacy, which will hopefully give a clearer view of this sensibility. At the European level there will also be a large awareness raising campaign about digital rights in the upcoming year. This all because the issue is not necessarily a lost battle and appropriate value to private data still needs to be given by creating appropriate global institutional frameworks that address these privacy issues adequately. At the moment there is by no means a settled framework that protects all. Thus, again a strong reason to raise awareness and create engagement at a bigger scale.
As it stands one of the most important data flows at the global level take place between the EU and the US and is currently regulated through the EU-US Privacy Shield (PS). After previous defeat of insufficient protection against misuse of personal information (of the Safe Harbour Agreement) through the ‘Schrems case’, the legal framework was revised to be what it is now. Critics, including the FRA still question the legality of the PS, which is still being challenged in a variety of cases before the EU Court of Justice. One of the criticisms is that the legal framework actually still appears to leave room open for mass surveillance and that the US institutions offer no uniform definition of mass surveillance. The independence in the US institutional system of the Ombudsman is also put under question. Furthermore, only few companies have signed up to the voluntary PS register, which places them outside the scope of liability of a number of corporate standards. Many parties also do not choose to designate a European party as the Data Protection Authority with whom to raise issues of concern, which may play out to the disadvantage of European consumers. Then, there is a clear worry that the current rebalancing of competences between the US Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) will lead to legislation which will lead to the unbridled sale of user data related to broadband usage that can be led back to personal users by means of advanced techniques. This will again put extra strain on the legality of the PS. In six cases, bulk surveillance is also still made legal and there is an apparent differential, i.e. not a clear equivalence in applicability between the EU and the US framework. Whereas there is a requirement under the EU system of ‘necessity and proportionality’, the US criteria are to be ‘as tailored as possible’ and ‘reasonable’. Although the PS has a degree of legal standing independent from the US President, there is also still considerable scope for executive orders to tilt the balance of privacy. Under the PS legal redress is neither clear-cut and there is a general lack of any form of compensation in case of an unwarranted breach, as the required remedy is limited to erasing the respective data. Finally, retention policies and searches performed are found to have not always taken place in regular accordance with the law, even in more advanced states in Europe.
From the above it may thus be clear that the attempted balance between privacy and security at the institutional level and between the EU and the US is by no means of a perfect and undebatable nature. Readers should thus be invited to think about these matters and form their own opinions. The picture is actually far from complete if one stops by looking at the EU and the US. Data flows between the US and Canada on the one side, and Latin America, Asia Pacific on the other side are also significant and the regulatory framework there is non-existent at worst and patchy at best, let alone there being proper institutions to enforce it. Plus, and again, an attack and also any spying operation can be run from anywhere in the world. In fact if one reads relevant reports of Privacy International, one is led to believe that states which might be on your list of failed or fragile states, are in the possession of surveillance technology that could easily be used not only to spy on their own citizens and used for repressive purposes, but also for the disruption of external parties.
The above thus illustrates that there is a clear need to think about these matters, not just at the level of developed states and in places where the biggest volumes of interaction of data take place, but also in the remotest places in the world. Apart from the obvious need to create balanced and global regulatory framework that creates openness and transparency, whilst safeguarding as low a compliance burden as possible and the provision of the necessary capacity and research into the attitudes of acceptability, implications of policy etc. Individuals and small companies in particular would do best to add an extra level of awareness to their current activities in the digital space. They could do this not only by taking precautionary protection measures, but also by cross-checking what information is shared in a more rigorous manner. Cybersecurity and data protection is a matter not just for governments but for citizens to act upon.Antonius Voluptarius