New Platforms Need Privacy By Design
When it comes to cross-border data flow agreements, Safe Harbor is out, and Privacy Shield is in and could stifle the way entrepreneurs grow in the digital economy.
Safe Harbor was a data transfer agreement between the United States and Europe that facilitated information sharing among thousands of companies and dozens of industries on both sides of the Atlantic for almost 15 years. The agreement ended after a lawsuit brought by the Austrian activist Max Schrems, whose concerns focused on privacy and surveillance practices brought to light by the revelations of Edward Snowden.
Snowden’s leaks brought into question whether American companies were in violation of the European Union’s Data Protection Policy. Last year, as a result of Schrem’s lawsuit, an E.U. court sided with Schrems, resulting in the dissolution of the Safe Harbor agreement. Now, the Privacy Shield agreement seems poised to take its place.
The new agreement has many of the same provisions contained within the original Safe Harbor. Companies seeking to transfer personal information between the United States and E.U. must become “certified” under the auspices of the Department of Commerce. In order to qualify for certification, firms must:
- Subject to the authority of a U.S. government agency that can ensure compliance with the principles of the agreement (e.g. FTC, Department of Commerce, etc.);
- Publicize its commitment to the principles of the Privacy Shield;
- Implement the principles of the Privacy Shield.
Certifications must be renewed annually and provide the Department of Commerce with “a detailed description of its activities involving E.U. residents’ personal data and its related privacy policies.”
While the new agreement maintains certainty regarding the ability for companies to engage in cross-border digital data transfers, the Privacy Shield imposes far more stringent requirements on digital service providers.
Many of the details of the seven principles in the agreement could potentially deliver a significant blow to data innovation and collection practices. One particularly troubling provision is the “Data Integrity and Purpose Limitation” requirement under Section 2.1, whereby:
“Personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.”
The principle further requires that any personal information may be retained “only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorised.” The trouble with a provision of this nature is that it fails to account for the possible innovations that could occur with data for purposes not “initially collected or subsequently authorised.”
Such onerous and prescriptive requirements are surefire innovation killers — especially in the digital economy — and likely serve as a perfect example of why E.U. firms are playing second fiddle to their American counterparts.
However, as some have noted, this agreement is a foundation upon which we might build opportunities for further negotiation in the future. The first step is providing for a certain degree of market certainty in cross-border digital data flows.
What happens now that the Privacy Shield agreement is out of its beta stage?
As Larry Downes discussed earlier this year, E.U. approval of the Privacy Shield will nonetheless result in many more months (possibly years) of market uncertainty for Internet companies. Importantly, he provides a number of market-based recommendations for how to minimize information misuse, while recognizing the inherent inability of governments to provide real, air-tight protections for individuals’ personal information. Downes noted,
“The architecture of the [Internet] and the unique economic properties of information make it effectively impossible to control digital conduct across borders drawn during the Industrial Age. The internet was born global.”
Among his suggestions, Downes argues:
- Support the efforts of non-governmental organizations in setting standards, best practices in transparency and accountability, and other self-regulating mechanisms promoting “trust seals”;
- Companies should lead by working with consumers in designing appropriate privacy safeguards into their products by design; and
- Consumers and firms will likely have to “ride out the storm” in order to avoid future privacy panics, often the result of the “creepy factor” new technologies engender in the public’s mindset.
For new entrepreneurs entering the Internet business ecosystem, the key takeaway here is that there needs to be thinking about baking in “privacy by design” when developing new platforms. Adhering to industry best practices and self-selecting into a self-regulating association might be the best way for rising entrepreneurs to help insulate their startups from this still-evolving frontier. Especially if they don’t yet have the money to invest in a crack shot legal team.
Prescriptive cross-country data flow regulations and rules are bad news for startups and entrepreneurs. Large corporations will always have the time and resources to comply with even the most stringent of regulations. Small companies and individuals creating the next major data-driven software platform, however, seldom have the money to hire even a single on-staff counsel, let alone a legal dream team.
Investors seldom wish to invest in building out significant legal capabilities for new companies — they, like entrepreneurs, are focused on building products, deploying to market and scaling to maximize earning potential. Those components are going to be increasingly international in scope, as more and more of the world’s population comes online in the next decade. That’s why agreements like the Privacy Shield are so immensely important: they ensure transnational market certainty online.
Transatlantic data flows are critically important to innovation and economic growth in the digital ecosystem. They’re part of what has engendered the growth of the modern, Internet-based economic miracle. Let’s hope the Privacy Shield can help serve as a solid foundation to build upon.