Revelations on PRISM Should Not—But Likely Will—Affect the General Data Protection Regulation
By Mehmet Munur, CIPP/US
Recent revelations relating to PRISM and the Verizon FISA Order should not—but likely will— affect the current talks to enact the General Data Protection Regulation. These disclosures may make international data transfers to third countries more prescriptive, affect current and future adequacy decisions and frustrate businesses engaging in international data transfers. Considering that government surveillance is a global reality, erecting barriers to transfers of personal data for businesses is unlikely to make good sense.
One of the greatest challenges affecting businesses transferring personal information is the regulation of transfers of personal data to other countries. This trend appears to be on the rise independent of revelations relating to PRISM. Article 25 and 26 of the EU Data Protection regulates the transfers of personal data to third countries. The proposed General Data Protection Regulation will continue this adequacy mechanism. The OECD Privacy Principles, Convention 108 of the Council of Europe and APEC Privacy Framework have also affected this trend. As a result, a recent survey has found that more than 60 countries have adopted data protection and privacy laws that regulate transborder data flows. Many countries aspiring to achieve the coveted EU adequacy standard have adopted similar laws, hoping to bolster their outsourcing sectors. Therefore, regulation of transborder data transfers is currently, and will likely continue to be, one of the biggest challenges to businesses.
This challenge is exacerbated by the expanding speed and scope of communications on the Internet, cloud computing, smartphones and the modern multinational corporations with personnel and data scattered around the world. Despite these growing global challenges for businesses, some lawmakers and privacy regulators insist on a territorial and local approach to the regulation of data. Other regulators insist on authorizing each and every international transfer of personal data. These and other inconsistent obligations could be removed with the introduction of the proposed General Data Protection Regulation. However, the revelations relating to NSA’s PRISM program may bolster arguments for greater restrictions on transborder data flows.
If successful, these restrictions on the U.S. Department of Commerce EU Safe Harbor, Standard Contractual Clauses and even future authorizations for Binding Corporate Rules may increase. Currently, adherence to the Safe Harbor may be limited to the extent necessary to meet national security, public interest or law enforcement requirements. Standard Contractual Clauses also allow the processor to promptly notify the controller about any legally binding request for disclosure of personal data by law enforcement authority unless otherwise prohibited. Sharing with law enforcement agencies and exceptions for informing other parties exist in some Binding Corporate Rules—if the Article 29 Working Party has shown its discomfort with this issue in its Processor BCR guidance. Considering that there are severe monetary and criminal penalties for violating the secrecy requirements relating to National Security Letters and Foreign Intelligence Surveillance Court orders, such exemptions to inform others of disclosures to government agencies clearly fit under these requirements outlined above. However, revising these instruments to restrict disclosures to law enforcement agencies will only frustrate businesses and place them between a rock and hard place—as is still done with respect to EU data protection compliance, e-discovery and SOX whistleblower hotlines issues. Therefore, arguments for further restrictions on international data transfers as a result of these recent revelations should not carry the day.
Just as transborder data flows and their regulation are a reality, so is government surveillance. All governments access data about persons within and without their borders. The manner, scope, transparency and checks-and-balances of these programs may vary, but their existence does not. Unless all governments come clean on their surveillance programs, government surveillance will continue to be a muddy, but level, playing field. Law firms and think tanks have issued whitepapers arguing that governments all over the world have access to personal information held in the cloud. One whitepaper argues that the right of the government to access data stored in the cloud exists in every jurisdiction. Another attempts to dispel misconceptions relate to the Foreign Intelligence Surveillance Act. Furthermore, as the capabilities of government surveillance programs increase, due to the interconnected nature of the Internet, they will be able to reach data stored in other countries—if they have not already. Therefore, erecting walls against transborder data flows due to surveillance concerns when there is a city of tunnels under the walls for surveillance only serves to frustrate those attempting to walk on the ground.
Furthermore, even without unilateral government surveillance, many countries have agreed to cooperate on criminal and national security issues. This cooperation is likely to provide governments with access to personal data that is not stored by an entity subject to their jurisdiction. For example, the United States has Mutual Legal Assistance Treaties with more than 60 countries, including all members of the EU. The U.S. and EU regularly cooperate against terrorism. Therefore, some of the international privacy and data protection issues that have been raised by the unilateral collection of information by the PRISM program may have already been resolved at the member state and EU level.
Nevertheless, the French Data Protection Authority, CNIL, has already announced that it started an internal working group to study privacy and data protection issues arising from the access to French citizens’ personal data by foreign governments. The Article 29 Working Party is also likely to continue to investigate this issue. Therefore, the PRISM program and related disclosures are likely to affect the regulation process. Instead, efforts should be made to streamline the upcoming laws and compliance obligations for businesses and make current laws uniform in application.
If the regulation of transborder transfers of personal data increases, businesses on both sides of the Atlantic will likely be affected. These changes will not only adversely impact the cloud service providers, who depend on the EU Safe Harbor or Standard Contractual Clauses, but also other multinationals who transfer personal information—due to their internal HR data transfers or otherwise. The added cost and complexity of abiding by these obligations may adversely affect the bottom line of small- and medium-size enterprises. However, it is unlikely to change surveillance programs of any particular government.
Mehmet Munur, CIPP/US, is an attorney at Tsibouris & Associates, LLC. He concentrates his practice in the areas of technology, financial services and information privacy and security. He advises clients on wide a variety of international, federal and state privacy and security laws and compliance issues.