Privacy Shield: More Holes than Swiss Cheese
What if your most intimate and private information was for sale to anyone in the world? What if anyone could find out your political beliefs, religious affiliation, sexual orientation, or even your medical history? In the US, it is legal for the private sector to collect and sell these types of personal information, and the government is powerless to stop it. Due to the US’ lack of general data protection laws, Europeans’ personal information could wind up in the hands of unscrupulous data brokers and for sale on the global market. Data transfers from the EU to the US is cause for on-going controversy, because the EU considers data protection to be a fundamental right.
In testimony before the US Congress, Pam Dixon of the World Privacy Forum detailed abuses by data brokers. MEDbase200 sold personal information on rape survivors and people with an HIV positive status for $79.00 per thousand names. Addresses of domestic violence shelters are supposed to be kept secret, but FirstMark sold lists of these shelters online. DMDatabases sold comprehensive databases detailing patients’ medical conditions and which prescription medications they were taking.
Data brokers obtain personal information from various sources. Many US companies rather shamelessly sell information on their customers. Data brokers can also collect information online through tracking cookies, mobile app data, social media postings, and online surveys. Data brokers also sell each other vast amounts of data, making it virtually impossible to figure out who originally collected the information.
EU regulators should have pause for concern that social media sites are now partnering with American data brokers. Especially controversial is Facebook’s partnership with data broker Acxiom. After the 9/11 terror acts, Acxiom lobbied the US government to weaken the few and limited federal privacy protections in the US. In 2001, Acxiom proposed to establish a government surveillance programs to crawl the internet and gather intelligence from websites. The US Department of Defense also considered partnering with Acxiom to build a large surveillance database. In 2003, Acxiom was embroiled in controversy when it worked with the US Department of Homeland Security on a proposed system to give airline passengers color-coded ratings based on the likelihood of being a terrorist. Despite holding vast amounts of personal data, Acxiom has been the victim of numerous data breaches, with computer hackers stealing large amounts of information.
Starting in 2000, the US-EU Safe Harbor agreement allowed companies in the EU to send personal data to the US. In 2015, the EU Court of Justice struck down the legal basis for the Safe Harbor agreement, because the agreement failed to provide adequate data protections. The US and the EU quickly negotiated a new agreement called Privacy Shield to allow the continued flow of data from the EU to the US.
The new US-EU Privacy Shield agreement is a complete disaster. The agreement’s greatest weakness is that the Privacy Shield program is completely voluntary. An American company with no subsidiaries in the EU could refuse to sign up for Privacy Shield and can ignore EU data protection authorities. The US government is powerless to stop data collection over the internet, which is completely legal in the US.
Even when a company voluntary signs up for the Privacy Shield program, it requires the US Federal Trade Commission (FTC) to enforce the rules. This year, President Trump has the authority to nominate four FTC commissioners (out of five commissioners total). Considering President Trump’s history, his nominations for the FTC will be extremely business-friendly, and the new commissioners may do everything in their power to stop any consumer protections (including Privacy Shield). On the rare instance that the FTC would actually investigate a company for failing to comply with the Privacy Shield framework, the FTC would have to prove that the data is covered under Privacy Shield. In the US, data brokers repackage and sell data so many times that it may be difficult or impossible for the FTC to ever prove where the data originally came from.
Recently, President Trump named Maureen Ohlhausen as acting Chair for the FTC. Ohlhausen has previously criticized the FCC (Federal Communications Commission) proposal to require ISP (internet service providers) to obtain consent before sharing customers’ private data with data brokers and other third parties. Ohlhausen argued that the FCC’s proposal would harm consumers by offering too many privacy protections. With Ohlhausen as acting Chair, the FTC will likely fail to enforce the Privacy Shield framework.
The Privacy Shield framework does nothing to stop the US government’s mass surveillance and bulk collection of data. In a letter included in the Privacy Shield notice, the former Secretary of State, John Kerry, promises to establish an ombudsperson to take complaints regarding US government surveillance practices. A close reading of the memorandum reveals that the Privacy Shield ombudsperson has no legal authority to investigate or provide independent oversight. The memorandum also mentions several OIGs (Office of Inspector Generals) and the PCLOB (Privacy and Civil Liberties Oversight Board), which are the same mechanisms that failed to protect people from the NSA’s mass surveillance in the first place.
The Privacy Shield notice also includes a letter from the Office of the Director of National Intelligence (ODNI). The letter cites PPD-28 (Presidential Policy Directive-28) as limiting the US government’s surveillance efforts. It is difficult to independently verify what PPD-28 actually contains, since some portions of the directive are classified. The PPD-28 was signed by President Obama, who is no longer in office. President Trump is not required to follow PPD-28, and he can secretly overturn the directive at any time without any public notice.
The US government has no international legal obligations to enforce Privacy Shield. The Privacy Shield framework is a voluntary program, operated by the US Department of Commerce, which could be rescinded at any time. It is hard to imagine how the EU ever approved an agreement so dreadful as Privacy Shield. I cringe thinking that the EU completely lacks an understanding of the US Constitution and how the American government operates. Before ever entering another agreement with the US, the EU needs to first hire some extremely well-read American lawyers as advisors.
As it stands, the Privacy Shield framework leaves EU consumers’ personal data open to abuse, with few or no rights to recourse and redress. If the EU is serious about data protection, it should immediately suspend the Privacy Shield framework. Access to the EU market is of paramount importance to many American businesses. Using its economic leverage, the EU should pressure the US to reform its legal code to ensure better data protection.
For further reading:
GAO report on data brokers, link
FTC report on data brokers, link
Featured image: CC-BY-NC-ND, thenoodleator