In-house counsel and IT directors at tech companies are facing tough challenges in balancing data protection compliance and responding to increasing pressure from law enforcement agencies for access to data without compromising security or consumer confidence.
One of the reasons for this is the introduction of new data protection regulation in 2016, including the Privacy Shield agreement following the dissolution of Safe Harbor and the confirmation of the forthcoming EU General Data Protection Regulation (GDPR).
GDPR has been anticipated for the past three years. However, the Regulation was only finalised in 2016, giving companies just two years until the GDPR is enforced in May 2018.
The main points of interest are:
- Increased fines for breaches of the GDPR, up to 4% of the annual global turnover
- A “Privacy by design” provision requires that data protection is designed into business services. Measures to protect data must be taken from the start of client engagement with clients.
- Explicit consent must be obtained for the collection and processing of data. Contracts with clients should include a section on consent.
- Multinational companies working across the EU will be required to appoint an independent Data Protection Office. This will be a challenging role to fulfil given the breadth of knowledge required to manage both IT systems and be familiar with the legal aspects of the GDPR.
- International companies based outside the EU, but which hold data inside the EU, will be subject to these regulations.
- “Right to erasure”. A client has the right to request the erasing of personal data. Organisations need to take steps to understand how easily and cost-effectively they can comply with these requests.
In addition to this, companies transferring data between the United States and the EU will now be subject to the recently-agreed Privacy Shield arrangement. The basis for the agreement is centred on the following 7 privacy principles[i]:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse Enforcement and Liability
In addition to these principles, the EU-US Privacy Shield will:
- Introduce an Ombudsman to investigate any complaints regarding access to data by US Intelligence agencies
- Conduct a joint annual review by the European Union and Department of Commerce of the program
Although many of the changes in data protection law have been in response to technological developments such as social media, the European Commission has also taken a consumerist focus, commenting that privacy is a key concern for its citizens and as such, legislation such as the GDPR takes this into account.
Equally, Safe Harbor was dissolved due to action by a Maximilian Schrems, a private citizen, who had concerns over the way data belonging to EU citizens was being handled. This background, as well as the need for regulatory compliance perhaps explains why companies have been resistant to comply with growing pressure from law enforcement.
The FBI v Tech providers
In 2015 and 2016, Apple received and challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these sought to compel Apple to assist with extracting data from locked iPhones in order to assist in criminal investigations and prosecutions. A few requests, however, involved devices with more extensive security protections that would require Apple to write ‘back door’ software to allow the government to directly access data.
Many commentators have been sceptical that the FBI needed to take Apple to court and that they have the technical know-how to extract data from these devices without assistance. Some privacy advocacy groups believe these court cases are not about technology but establishing a legal precedence for wider access/surveillance.
A number of organisations such as Whatsapp, the online messaging service, have responded to this climate by introducing end-to-end encryption to increase users’ privacy and security. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.
In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo or video travelling through its network. Like Apple, WhatsApp is, potentially, blocking law enforcement agencies, but is doing so on a larger scale than Apple, as WhatsApp is used on one billion devices including iPhones, Android, Windows, and even older Nokia phones.
Although third party forensic specialists can now decrypt Whatsapp messages, it is likely that this will result in Whatsapp retaliating with further security updates. This effectively creates a vicious cycle of encryption and decryption.
This places in-house counsel in a difficult position, caught in the middle of these conflicting demands On the one hand, they must ensure that their business practices meet the privacy requirements of regulators such as the European Commission and the standards demanded by their consumers. But equally, agencies such as the FBI have been putting increased pressure on companies to comply with their demands.
Companies with a low risk from law enforcement cases may opt to focus on ensuring they comply with all relevant data protection legislation. If a company does operate within a sphere that could attract the attention of the FBI and other enforcement agencies, (e.g. communications, social media), then this is a delicate subject and one on which the company should seek expert legal advice. However, one potential resolution is cooperating with the enforcement agency to provide the information they seek via other channels and techniques.
As devices become more connected, it can be possible to access the required data from another device. For example, rather than examining a phone, an investigator could look at a computer (which might feature backups) or the Cloud.
Many people backup their phones on a computer. Investigators are then able to recover this data via taking an imprint of the computer’s hard drive and using forensics methods to search within the back up. This approach can often yield the following data types:
- Chat transcripts from apps such as Whatsapp
If a case requires emails or other kinds of unstructured data such as chat records, a wider net can be cast by including correspondents in the search for data. Ediscovery technology can sift through huge sets of unstructured data such as emails, instant messenger and techniques such as predictive coding mean what could be a time consuming exercise can be completely relatively efficiently.
By looking at the iPhone owner’s network of contacts, any incriminating evidence could be gained from data owned by the receiver rather than the original custodian. Ediscovery technology is especially suited to this kind of exercise as trained users can run searches for keywords and suspected code words which may be missed if someone simply reads the emails sequentially.
For suspected fraud, it may be possible to isolate patterns from available financial data using data visualisation tools. Data analytics specialists can take large sets of structured data (e.g. spreadsheets, data held in relational data bases) and find previously unseen abnormalities that can be pinpointed to specific individuals. This evidence can then be used alongside other data to build a case.
2017 is unlikely to see a dilution in the tension between security and data privacy. The UK’s decision to leave the EU and the Prime Minister’s announcement that Article 50 will be invoked in March may even have the effect of complicating the situation still further. However, from a lawyer’s point of view, the ability to identify and report on a wide range of data sources using intelligent technology will only become more important across the board.